Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562489
MD5:3e4c006936e63898c8bd8c4aba82db63
SHA1:3dd0d90d652c98b8fdd2faaf926f3a4c533c28ba
SHA256:fbd037ce912d8db1d1d6f4a899a9b296666db15bc3465d8262cad706f8e30124
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3E4C006936E63898C8BD8C4ABA82DB63)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T16:21:06.705885+010020283713Unknown Traffic192.168.2.449730104.21.7.169443TCP
2024-11-25T16:21:08.561995+010020283713Unknown Traffic192.168.2.449731104.21.7.169443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T16:21:07.729409+010020546531A Network Trojan was detected192.168.2.449730104.21.7.169443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T16:21:07.729409+010020498361A Network Trojan was detected192.168.2.449730104.21.7.169443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Antivirus detection for URL or domain
Source: https://occupy-blushi.sbs/apistgAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/YAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/apiAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/QAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs:443/apiAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/apihAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/aAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.7.169:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_00DCCF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_00DCE0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_00DFF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_00DFF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_00DC98F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_00DFB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00DFB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_00DFC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_00DFC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_00DFC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_00DFC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00DE0870
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_00DFB860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_00DCC02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_00DCE970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_00DCEA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_00DCE35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_00DFBCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00DCBC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00DC5C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00DC5C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00DE8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_00DCAD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_00DE5E90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_00DC77D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_00DC77D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_00E00F60

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.7.169:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.7.169:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.7.169:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.7.169:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: occupy-blushi.sbs
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
Source: global trafficDNS traffic detected: DNS query: frogs-severz.sbs
Source: global trafficDNS traffic detected: DNS query: occupy-blushi.sbs
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: occupy-blushi.sbs
Source: file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/
Source: file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/Q
Source: file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/Y
Source: file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/a
Source: file.exe, 00000000.00000003.1754419700.0000000001409000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754688414.000000000146D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001471000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/api
Source: file.exe, 00000000.00000003.1754419700.0000000001409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/apih
Source: file.exe, 00000000.00000003.1754688414.000000000146D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/apistg
Source: file.exe, 00000000.00000003.1754419700.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.00000000013F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs:443/api
Source: file.exe, 00000000.00000003.1754419700.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.00000000013F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/api
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 104.21.7.169:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF90300_2_00DF9030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC89A00_2_00DC89A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCCF050_2_00DCCF05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCE0D80_2_00DCE0D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFF8D00_2_00DFF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC98F00_2_00DC98F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFB8E00_2_00DFB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC68400_2_00DC6840
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFC0400_2_00DFC040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE08700_2_00DE0870
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF41D00_2_00DF41D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC61A00_2_00DC61A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCE9700_2_00DCE970
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC5AC90_2_00DC5AC9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8C2E20_2_00F8C2E2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC4AC00_2_00DC4AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCB2100_2_00DCB210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC92100_2_00DC9210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F872140_2_00F87214
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC2B800_2_00DC2B80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9E36D0_2_00E9E36D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DDFB600_2_00DDFB60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DDDB300_2_00DDDB30
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC94D00_2_00DC94D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC6CC00_2_00DC6CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F134C70_2_00F134C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF24E00_2_00DF24E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC5C900_2_00DC5C90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E00C800_2_00E00C80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE8CB00_2_00DE8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F914280_2_00F91428
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC542C0_2_00DC542C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC35800_2_00DC3580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E015800_2_00E01580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE3D700_2_00DE3D70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8DD4C0_2_00F8DD4C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F88D470_2_00F88D47
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCAD000_2_00DCAD00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD95300_2_00DD9530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1AEFE0_2_00F1AEFE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE5E900_2_00DE5E90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE06500_2_00DE0650
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6563D0_2_00F6563D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE7E200_2_00DE7E20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC77D00_2_00DC77D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC27D00_2_00DC27D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE17900_2_00DE1790
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFC7800_2_00DFC780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F94F990_2_00F94F99
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF87B00_2_00DF87B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E00F600_2_00E00F60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE87700_2_00DE8770
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F857400_2_00F85740
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992443647540984
Source: file.exeStatic PE information: Section: nimjfmzf ZLIB complexity 0.9941631701852977
Source: classification engineClassification label: mal100.evad.winEXE@1/0@3/1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF27B0 CoCreateInstance,0_2_00DF27B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1857024 > 1048576
Source: file.exeStatic PE information: Raw size of nimjfmzf is bigger than: 0x100000 < 0x19b800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.dc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nimjfmzf:EW;hhcykgyz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nimjfmzf:EW;hhcykgyz:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1ceac1 should be: 0x1cc70c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: nimjfmzf
Source: file.exeStatic PE information: section name: hhcykgyz
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01051910 push 6CDC6E65h; mov dword ptr [esp], esp0_2_01051938
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103491C push ebx; mov dword ptr [esp], eax0_2_0103493C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F968AE push 38F78928h; mov dword ptr [esp], edx0_2_00F969F6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106195A push esi; mov dword ptr [esp], eax0_2_01061978
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106195A push 057CE57Bh; mov dword ptr [esp], ecx0_2_010619A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106195A push ebp; mov dword ptr [esp], ecx0_2_010619DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE0A6 push esi; mov dword ptr [esp], 459219C8h0_2_00FBE0F1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE0A6 push 4658FFB0h; mov dword ptr [esp], ebp0_2_00FBE2BE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102116D push 397634E4h; mov dword ptr [esp], ebx0_2_010211B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E71062 push ecx; mov dword ptr [esp], edx0_2_00E71066
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E71062 push 527D76E6h; mov dword ptr [esp], ebp0_2_00E71095
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E71062 push eax; mov dword ptr [esp], 30EEE192h0_2_00E710A1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD5057 push eax; iretd 0_2_00DD5058
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010859AE push edx; mov dword ptr [esp], eax0_2_010859DA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010401A3 push 4232F1BEh; mov dword ptr [esp], edx0_2_0104020F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010019A8 push eax; mov dword ptr [esp], 3F7320CCh0_2_010019CB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010609AF push 23F893FBh; mov dword ptr [esp], eax0_2_01060A02
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010111B6 push 0614BF81h; mov dword ptr [esp], ecx0_2_010111F4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010111B6 push esi; mov dword ptr [esp], 5EFFC7F5h0_2_01011244
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010111B6 push ecx; mov dword ptr [esp], esi0_2_0101127B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AA9B6 push 55CCD2ADh; mov dword ptr [esp], esp0_2_010AA9DA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010389D6 push esi; mov dword ptr [esp], ebp0_2_010389E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010669E6 push ecx; mov dword ptr [esp], edx0_2_01066F22
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010171F4 push ebp; mov dword ptr [esp], 7DEDB0A7h0_2_01017217
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD8028 push esp; ret 0_2_00DD802B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108100B push 5BDE3BD0h; mov dword ptr [esp], ebp0_2_01081020
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108100B push ecx; mov dword ptr [esp], ebx0_2_010810E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD81DA push eax; iretd 0_2_00DD81DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF31A7 push eax; mov dword ptr [esp], 77269E26h0_2_00FF31DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100C064 push ebx; mov dword ptr [esp], ecx0_2_0100C0A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100D879 push 5E6C8666h; mov dword ptr [esp], eax0_2_0100D8AE
Source: file.exeStatic PE information: section name: entropy: 7.9801189215523864
Source: file.exeStatic PE information: section name: nimjfmzf entropy: 7.953320482667518

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1D2C3 second address: E1D2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CA7E second address: E1CA82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99A6C second address: F99A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99A82 second address: F99A94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8620F4D3ECh 0x00000008 je 00007F8620F4D3E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99A94 second address: F99A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99C11 second address: F99C36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F8620F4D3E6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99C36 second address: F99C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BD8E second address: F9BD97 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BD97 second address: F9BDCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11E4h 0x00000009 popad 0x0000000a popad 0x0000000b add dword ptr [esp], 58ABBE60h 0x00000012 mov cx, E092h 0x00000016 lea ebx, dword ptr [ebp+12452C02h] 0x0000001c clc 0x0000001d push eax 0x0000001e jl 00007F86207E11E4h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BDCE second address: F9BDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BE99 second address: F9BEB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F86207E11E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BFCB second address: F9C038 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f jmp 00007F8620F4D3F0h 0x00000014 popad 0x00000015 nop 0x00000016 mov ecx, dword ptr [ebp+122D2ADDh] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F8620F4D3E8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 jmp 00007F8620F4D3F8h 0x0000003d push D365CD60h 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 push edi 0x00000046 pop edi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C038 second address: F9C0AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b add dword ptr [esp], 2C9A3320h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F86207E11D8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1A51h], ebx 0x00000032 stc 0x00000033 push 00000003h 0x00000035 movzx edi, di 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F86207E11D8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 push ebx 0x00000055 mov edx, esi 0x00000057 pop esi 0x00000058 push 00000003h 0x0000005a push 9C4512DAh 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F86207E11DDh 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C0AD second address: F9C0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C0B1 second address: F9C0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C0BA second address: F9C0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xor dword ptr [esp], 5C4512DAh 0x0000000d mov dword ptr [ebp+122D2D36h], esi 0x00000013 lea ebx, dword ptr [ebp+12452C16h] 0x00000019 mov dword ptr [ebp+122D2D31h], esi 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92B4C second address: F92B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11E5h 0x00000009 jmp 00007F86207E11E2h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F86207E11DCh 0x00000017 jmp 00007F86207E11E2h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB0FC second address: FBB102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB102 second address: FBB108 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB108 second address: FBB12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8620F4D3EEh 0x0000000c jno 00007F8620F4D3E6h 0x00000012 jnl 00007F8620F4D3E6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB12E second address: FBB132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB3F3 second address: FBB3FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F8620F4D3E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB3FE second address: FBB40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jl 00007F86207E11D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB55B second address: FBB58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F2h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F8620F4D3E6h 0x00000012 jmp 00007F8620F4D3F5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB58F second address: FBB59B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB59B second address: FBB59F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB59F second address: FBB5A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB5A9 second address: FBB5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB5AD second address: FBB5D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jo 00007F86207E11F3h 0x0000000d jmp 00007F86207E11E3h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB715 second address: FBB743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8620F4D3EDh 0x0000000a pushad 0x0000000b jmp 00007F8620F4D3F9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB87A second address: FBB880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB9F8 second address: FBB9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBB61 second address: FBBB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11DFh 0x00000009 jmp 00007F86207E11E4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBCCF second address: FBBCD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBE5E second address: FBBE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F86207E11DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBE6D second address: FBBE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBE76 second address: FBBE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 jbe 00007F86207E11DAh 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBE8E second address: FBBE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBFD7 second address: FBBFFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F86207E11D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F86207E11E4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBFFB second address: FBBFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBFFF second address: FBC009 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F86207E11D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC009 second address: FBC00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC00F second address: FBC021 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC021 second address: FBC031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC031 second address: FBC035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC17E second address: FBC184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC2E7 second address: FBC2EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3A0C second address: FB3A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3A12 second address: FB3A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F86207E11E3h 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3A2C second address: FB3A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3A31 second address: FB3A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3A37 second address: FB3A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3EEh 0x00000009 jmp 00007F8620F4D3F6h 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F3F2 second address: F8F402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F86207E11D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F402 second address: F8F406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F406 second address: F8F40A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC487 second address: FBC491 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCA2D second address: FBCA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCA33 second address: FBCA3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCA3B second address: FBCA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F86207E11DCh 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCEAC second address: FBCEB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD15B second address: FBD172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F86207E11E2h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD172 second address: FBD177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD177 second address: FBD197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F86207E11DFh 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F86207E11D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC334E second address: FC3352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC39D8 second address: FC3A36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F86207E11E1h 0x00000008 jo 00007F86207E11D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F86207E11E1h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jnc 00007F86207E11F3h 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC3A36 second address: FC3A40 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7C4D second address: FC7C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7C51 second address: FC7C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F8620F4D3E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83775 second address: F8379F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DDh 0x00000007 jmp 00007F86207E11E5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC712F second address: FC7151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F3h 0x00000009 jng 00007F8620F4D3E8h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7151 second address: FC7163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 ja 00007F86207E1207h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7163 second address: FC716D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8620F4D3E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC72BC second address: FC72C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC75B7 second address: FC75D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8620F4D3F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC913E second address: FC9162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F86207E11E4h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9162 second address: FC9166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9166 second address: FC9175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F86207E11D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9175 second address: FC91AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F8620F4D3F4h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8620F4D3F5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC91AC second address: FC91B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F86207E11D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC91B6 second address: FC9224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F8620F4D3E8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 call 00007F8620F4D3E9h 0x00000028 pushad 0x00000029 jno 00007F8620F4D3ECh 0x0000002f jmp 00007F8620F4D3F8h 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007F8620F4D3EFh 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 pop edi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9224 second address: FC922A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC922A second address: FC922F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC922F second address: FC9256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jl 00007F86207E11E4h 0x0000000f jmp 00007F86207E11DEh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9788 second address: FC978C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC978C second address: FC9792 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9D80 second address: FC9DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F6h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d js 00007F8620F4D3ECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA89E second address: FCA8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA8A2 second address: FCA8AC instructions: 0x00000000 rdtsc 0x00000002 je 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA8AC second address: FCA92A instructions: 0x00000000 rdtsc 0x00000002 js 00007F86207E11ECh 0x00000008 jmp 00007F86207E11E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F86207E11DEh 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F86207E11D8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D2BB5h] 0x00000036 push 00000000h 0x00000038 or dword ptr [ebp+12477E39h], edi 0x0000003e push 00000000h 0x00000040 xchg eax, ebx 0x00000041 jmp 00007F86207E11DDh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jno 00007F86207E11DCh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCD34D second address: FCD359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8620F4D3E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBBAB second address: FCBBAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCD359 second address: FCD361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE428 second address: FCE42E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE42E second address: FCE441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F8620F4D3E8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE1E9 second address: FCE1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE441 second address: FCE45E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8620F4D3F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE1EF second address: FCE1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE45E second address: FCE4C8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F8620F4D3E8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push esi 0x00000028 pop edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F8620F4D3E8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 xor dword ptr [ebp+122D1D01h], ecx 0x0000004b push 00000000h 0x0000004d mov si, 24EEh 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE4C8 second address: FCE4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCEF16 second address: FCEF1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCEF1C second address: FCEFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 ja 00007F86207E11E6h 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D18CBh], edi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F86207E11D8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D1CADh], edx 0x00000035 call 00007F86207E11E1h 0x0000003a xor edi, dword ptr [ebp+122D29A5h] 0x00000040 pop esi 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007F86207E11D8h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 00000015h 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d xchg eax, ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 pushad 0x00000062 popad 0x00000063 jl 00007F86207E11D6h 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCEFAA second address: FCEFC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8620F4D3ECh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA9F second address: FCFAA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFAA8 second address: FCFAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8620F4D3E6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F8620F4D3ECh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF7CC second address: FCF7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF7D2 second address: FCF7D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6B69 second address: FD6B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0D4C second address: FD0D6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8620F4D3EFh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F8620F4D3E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90F7A second address: F90F80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD9FC4 second address: FDA026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+1244DA33h], eax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F8620F4D3E8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c cld 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F8620F4D3E8h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 sub dword ptr [ebp+122D364Ch], edi 0x0000004f xchg eax, esi 0x00000050 push esi 0x00000051 push eax 0x00000052 push edx 0x00000053 je 00007F8620F4D3E6h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA026 second address: FDA06A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F86207E11E3h 0x00000013 jmp 00007F86207E11E1h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD1805 second address: FD1809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5D83 second address: FD5D89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD689 second address: FDD68F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD68F second address: FDD703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnl 00007F86207E11DAh 0x00000012 push ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 nop 0x00000017 mov ebx, ecx 0x00000019 push 00000000h 0x0000001b jmp 00007F86207E11E4h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F86207E11D8h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov ebx, edi 0x0000003e xchg eax, esi 0x0000003f jl 00007F86207E11E4h 0x00000045 push eax 0x00000046 push edx 0x00000047 je 00007F86207E11D6h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE687 second address: FDE68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD811 second address: FDD816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF635 second address: FDF63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF63A second address: FDF6AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sbb ebx, 75101876h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F86207E11D8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub edi, dword ptr [ebp+12461F8Ch] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F86207E11D8h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 push eax 0x00000051 jbe 00007F86207E11E4h 0x00000057 push eax 0x00000058 push edx 0x00000059 push ebx 0x0000005a pop ebx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF6AC second address: FDF6B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE793 second address: FDE797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0791 second address: FE0797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF8DC second address: FDF8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF8E2 second address: FDF8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF8ED second address: FDF8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE3807 second address: FE380F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE19A3 second address: FE1A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F86207E11E2h 0x0000000b jmp 00007F86207E11DCh 0x00000010 popad 0x00000011 nop 0x00000012 mov ebx, dword ptr [ebp+122D3878h] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f jno 00007F86207E11DCh 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F86207E11D8h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 mov eax, dword ptr [ebp+122D0F5Dh] 0x0000004c mov edi, dword ptr [ebp+122D2C51h] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push ebx 0x00000057 call 00007F86207E11D8h 0x0000005c pop ebx 0x0000005d mov dword ptr [esp+04h], ebx 0x00000061 add dword ptr [esp+04h], 00000016h 0x00000069 inc ebx 0x0000006a push ebx 0x0000006b ret 0x0000006c pop ebx 0x0000006d ret 0x0000006e jnc 00007F86207E11D8h 0x00000074 nop 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1A35 second address: FE1A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1A39 second address: FE1A3F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1A3F second address: FE1A55 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8620F4D3ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5A43 second address: FE5B0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F86207E11E6h 0x00000008 jp 00007F86207E11D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jmp 00007F86207E11DAh 0x00000017 push dword ptr fs:[00000000h] 0x0000001e or dword ptr [ebp+12461F8Ch], eax 0x00000024 mov bx, 99B7h 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F86207E11D8h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 jnl 00007F86207E11DDh 0x0000004f mov eax, dword ptr [ebp+122D0DFDh] 0x00000055 sub edi, dword ptr [ebp+122D3892h] 0x0000005b push FFFFFFFFh 0x0000005d push 00000000h 0x0000005f push eax 0x00000060 call 00007F86207E11D8h 0x00000065 pop eax 0x00000066 mov dword ptr [esp+04h], eax 0x0000006a add dword ptr [esp+04h], 0000001Ah 0x00000072 inc eax 0x00000073 push eax 0x00000074 ret 0x00000075 pop eax 0x00000076 ret 0x00000077 mov dword ptr [ebp+122D364Ch], ebx 0x0000007d or dword ptr [ebp+12463682h], eax 0x00000083 nop 0x00000084 pushad 0x00000085 jmp 00007F86207E11E6h 0x0000008a pushad 0x0000008b push ecx 0x0000008c pop ecx 0x0000008d push eax 0x0000008e push edx 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8E13 second address: FE8E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8008 second address: FE8024 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3369 second address: FF339D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F8620F4D3F1h 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8620F4D3EFh 0x00000014 push edx 0x00000015 jc 00007F8620F4D3E6h 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF339D second address: FF33B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007F86207E11D6h 0x00000009 ja 00007F86207E11D6h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF33B1 second address: FF33B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF33B7 second address: FF33BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86D67 second address: F86D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F8620F4D3E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86D76 second address: F86D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2A6A second address: FF2A94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 ja 00007F8620F4D3E6h 0x00000016 pop ecx 0x00000017 jmp 00007F8620F4D3F3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2A94 second address: FF2A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2BFD second address: FF2C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2C03 second address: FF2C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2C0C second address: FF2C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7275 second address: FF727B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF727B second address: FF727F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF727F second address: FF728F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF728F second address: FF72A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 je 00007F8620F4D3ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF72A0 second address: FF72A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF74AC second address: FF74D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007F8620F4D3EDh 0x00000013 pop ebx 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F8620F4D3E8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF74D7 second address: FF7510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F86207E11DCh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push edx 0x00000010 jmp 00007F86207E11E4h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b jo 00007F86207E11DCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7510 second address: FF7517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF761F second address: E1CA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 218ED09Eh 0x0000000c cmc 0x0000000d push dword ptr [ebp+122D1609h] 0x00000013 jmp 00007F86207E11DCh 0x00000018 jmp 00007F86207E11E1h 0x0000001d call dword ptr [ebp+122D1D3Fh] 0x00000023 pushad 0x00000024 clc 0x00000025 xor eax, eax 0x00000027 pushad 0x00000028 jmp 00007F86207E11DEh 0x0000002d mov si, 0A5Dh 0x00000031 popad 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 add dword ptr [ebp+122D1A07h], ebx 0x0000003c mov dword ptr [ebp+122D2AE1h], eax 0x00000042 clc 0x00000043 mov esi, 0000003Ch 0x00000048 pushad 0x00000049 pushad 0x0000004a mov edx, edi 0x0000004c mov edx, dword ptr [ebp+122D2B4Dh] 0x00000052 popad 0x00000053 jmp 00007F86207E11DFh 0x00000058 popad 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d jmp 00007F86207E11E2h 0x00000062 lodsw 0x00000064 jc 00007F86207E11ECh 0x0000006a jmp 00007F86207E11E6h 0x0000006f clc 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 mov dword ptr [ebp+122D1FD8h], ecx 0x0000007a pushad 0x0000007b mov edx, dword ptr [ebp+122D2ADDh] 0x00000081 sbb edi, 77D5BB3Ch 0x00000087 popad 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c sub dword ptr [ebp+122D1FD8h], ebx 0x00000092 push eax 0x00000093 pushad 0x00000094 push eax 0x00000095 push edx 0x00000096 pushad 0x00000097 popad 0x00000098 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC939 second address: FFC93E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCAA1 second address: FFCAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F86207E11DCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCAB4 second address: FFCAD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F6h 0x00000007 jnc 00007F8620F4D3E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCAD4 second address: FFCB00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E0h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jg 00007F86207E11D6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 js 00007F86207E11D8h 0x0000001a push esi 0x0000001b pop esi 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCC4E second address: FFCC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCC52 second address: FFCC60 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCEEC second address: FFCF18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3EEh 0x00000007 jmp 00007F8620F4D3EBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F8620F4D3ECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCF18 second address: FFCF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCF1E second address: FFCF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCF24 second address: FFCF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCF2E second address: FFCF44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8620F4D3E6h 0x0000000a jmp 00007F8620F4D3EBh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD3C7 second address: FFD3DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD3DD second address: FFD3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD3E3 second address: FFD3F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F86207E11E1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD3F9 second address: FFD3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD35E2 second address: FB3A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 cld 0x00000007 mov edi, 088735FCh 0x0000000c call dword ptr [ebp+122D398Ch] 0x00000012 push esi 0x00000013 push ebx 0x00000014 jg 00007F86207E11D6h 0x0000001a pushad 0x0000001b popad 0x0000001c pop ebx 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD36AA second address: FD3764 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c add cx, 21FBh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 pushad 0x00000019 clc 0x0000001a mov esi, 3A443754h 0x0000001f popad 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F8620F4D3E8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 movzx edi, dx 0x00000044 mov dword ptr [ebp+1248A3C4h], esp 0x0000004a movzx edx, bx 0x0000004d movzx edx, ax 0x00000050 cmp dword ptr [ebp+122D2A81h], 00000000h 0x00000057 jne 00007F8620F4D4A6h 0x0000005d sub dword ptr [ebp+1245A8BEh], eax 0x00000063 call 00007F8620F4D3F9h 0x00000068 or dx, FB37h 0x0000006d pop edi 0x0000006e mov byte ptr [ebp+122D1A5Fh], 00000047h 0x00000075 jmp 00007F8620F4D3F2h 0x0000007a mov eax, D49AA7D2h 0x0000007f and ch, FFFFFFA0h 0x00000082 push eax 0x00000083 pushad 0x00000084 jmp 00007F8620F4D3EAh 0x00000089 push eax 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3B48 second address: FD3BF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F86207E11E3h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push esi 0x00000013 push edi 0x00000014 jmp 00007F86207E11E4h 0x00000019 pop edi 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jl 00007F86207E11E9h 0x00000025 jmp 00007F86207E11E3h 0x0000002a pop eax 0x0000002b movsx edx, ax 0x0000002e call 00007F86207E11D9h 0x00000033 push ebx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 jg 00007F86207E11D6h 0x0000003d popad 0x0000003e pop ebx 0x0000003f push eax 0x00000040 push edi 0x00000041 jmp 00007F86207E11E2h 0x00000046 pop edi 0x00000047 mov eax, dword ptr [esp+04h] 0x0000004b pushad 0x0000004c jnl 00007F86207E11DCh 0x00000052 jne 00007F86207E11D8h 0x00000058 popad 0x00000059 mov eax, dword ptr [eax] 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F86207E11DFh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD45A7 second address: FD45AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD45AB second address: FD45B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD45B5 second address: FD45E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8620F4D3EBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD45E1 second address: FD45EB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD45EB second address: FD45F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8620F4D3E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4968 second address: FD496C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD496C second address: FD4970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4970 second address: FD4987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F86207E11DFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4987 second address: FB44C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov cx, bx 0x0000000d call dword ptr [ebp+122D3594h] 0x00000013 pushad 0x00000014 jmp 00007F8620F4D3F2h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB44C4 second address: FB44C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB44C8 second address: FB44EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB44EB second address: FB44FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB44FD second address: FB4501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4501 second address: FB4509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4509 second address: FB4513 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8620F4D3ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100204F second address: 1002056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10021F4 second address: 10021F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10021F8 second address: 10021FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006C97 second address: 1006C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007136 second address: 100716A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007F86207E11DAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F86207E11E2h 0x00000014 jmp 00007F86207E11DDh 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100716A second address: 100716E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10072FE second address: 1007310 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F86207E11DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007BA8 second address: 1007BBB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8620F4D3E6h 0x00000008 jo 00007F8620F4D3E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007BBB second address: 1007BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F86207E11D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007BC7 second address: 1007BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D737 second address: 100D746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D746 second address: 100D758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F8620F4D3ECh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D758 second address: 100D77E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 je 00007F86207E11D6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F86207E11E0h 0x00000015 jnl 00007F86207E11D6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C0D2 second address: 100C0EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jne 00007F8620F4D3E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8620F4D3EEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C25E second address: 100C282 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F86207E11D6h 0x00000008 jmp 00007F86207E11E7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C282 second address: 100C295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3EEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C295 second address: 100C2AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F86207E11D6h 0x00000009 jp 00007F86207E11D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F86207E11D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C95B second address: 100C982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F8620F4D3FDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C982 second address: 100C988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CAAF second address: 100CAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CAB7 second address: 100CAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F86207E11D8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F86207E11E0h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F86207E11E4h 0x00000019 jne 00007F86207E11DCh 0x0000001f je 00007F86207E11D6h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CF7B second address: 100CF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D578 second address: 100D5A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F86207E11E3h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ebx 0x00000012 je 00007F86207E11D6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D5A0 second address: 100D5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 jne 00007F8620F4D3E6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jno 00007F8620F4D3E6h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BDDB second address: 100BDE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BDE4 second address: 100BDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F8620F4D3E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10115D7 second address: 1011614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F86207E11D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F86207E11F1h 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007F86207E11E9h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jg 00007F86207E11D6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1017480 second address: 101748F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F8620F4D3E6h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101748F second address: 10174A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F86207E11E7h 0x0000000b jmp 00007F86207E11DBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101775F second address: 1017769 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8620F4D3F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101997E second address: 1019984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019984 second address: 101998A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101E3CB second address: 101E3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 je 00007F86207E11D8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101DE92 second address: 101DE98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101DE98 second address: 101DEA8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F86207E11D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020922 second address: 1020928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020928 second address: 102092E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102092E second address: 1020934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020C2A second address: 1020C37 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020C37 second address: 1020C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026086 second address: 102608C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102608C second address: 1026096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026096 second address: 102609A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102609A second address: 102609E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102609E second address: 10260A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10261E5 second address: 1026214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3EEh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8620F4D3EDh 0x00000011 jmp 00007F8620F4D3EDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026214 second address: 1026218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026360 second address: 1026388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8620F4D3F1h 0x0000000d jmp 00007F8620F4D3EFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026388 second address: 102638C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102638C second address: 10263A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10263A9 second address: 10263BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11E0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026518 second address: 102651D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10266DB second address: 10266DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD431A second address: FD431E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026B0F second address: 1026B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F86207E11D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E99F second address: 102E9A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9A8 second address: 102E9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11DBh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F86207E11DFh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9CF second address: 102E9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9D5 second address: 102E9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9DA second address: 102E9E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CD74 second address: 102CD81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CD81 second address: 102CDA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F8620F4D3E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F8620F4D3F0h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D075 second address: 102D07E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D07E second address: 102D086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D3E5 second address: 102D3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D3ED second address: 102D406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F4h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D96F second address: 102D975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D975 second address: 102D979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D979 second address: 102D97D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D97D second address: 102D983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D983 second address: 102D9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F86207E11D6h 0x0000000d jmp 00007F86207E11DFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D9A1 second address: 102D9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D9A6 second address: 102D9AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D9AC second address: 102D9B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D9B0 second address: 102D9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DEE3 second address: 102DEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DEE9 second address: 102DF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F86207E11DAh 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F86207E11D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DF04 second address: 102DF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E1D8 second address: 102E1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11DBh 0x00000009 popad 0x0000000a push ebx 0x0000000b je 00007F86207E11D6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E1F2 second address: 102E1FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8620F4D3E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030CE4 second address: 1030CED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030CED second address: 1030CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3EBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035220 second address: 103522C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F86207E11D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103522C second address: 1035230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037FBA second address: 1037FBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037FBE second address: 1037FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038110 second address: 1038120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F86207E11D6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038120 second address: 1038136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F8620F4D3EEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038136 second address: 103813C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103813C second address: 1038155 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8620F4D3EDh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038155 second address: 103815B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103844B second address: 1038450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038450 second address: 103845B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F86207E11D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103845B second address: 103846A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8620F4D3E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038A00 second address: 1038A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038A06 second address: 1038A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038A0B second address: 1038A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007F86207E11D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F69E second address: 103F6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F949 second address: 103F953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F86207E11D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F953 second address: 103F992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F7h 0x00000007 jmp 00007F8620F4D3EDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F8620F4D401h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8620F4D3EFh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F992 second address: 103F996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FAD5 second address: 103FAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FAEF second address: 103FAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FAF3 second address: 103FAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FAF9 second address: 103FB09 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F86207E11DAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FDF8 second address: 103FE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8620F4D3E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FE03 second address: 103FE09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FE09 second address: 103FE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FF3C second address: 103FF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F86207E11E1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040374 second address: 1040378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040378 second address: 104037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104037C second address: 10403A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F8620F4D3F9h 0x0000000c jnc 00007F8620F4D3E6h 0x00000012 jmp 00007F8620F4D3EDh 0x00000017 pop ebx 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10403A3 second address: 10403BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10403BE second address: 10403C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040AF9 second address: 1040AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040AFD second address: 1040B03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040B03 second address: 1040B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F86207E11E1h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F86207E11D6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040B29 second address: 1040B2F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10453A1 second address: 10453AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048C51 second address: 1048C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007F8620F4D3E6h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F8620F4D3EEh 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048C72 second address: 1048C86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048C86 second address: 1048C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048F1F second address: 1048F3B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F86207E11E2h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048F3B second address: 1048F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105422B second address: 105422F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105422F second address: 1054246 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8620F4D3EDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054246 second address: 1054255 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F86207E11DAh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059B45 second address: 1059B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8620F4D3F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061C02 second address: 1061C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061C08 second address: 1061C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3EBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061C19 second address: 1061C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061C1E second address: 1061C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8620F4D3EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106973D second address: 1069751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F86207E11DDh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069751 second address: 1069767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8620F4D3F0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069767 second address: 106976B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106976B second address: 106978A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8620F4D3F5h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106CA25 second address: 106CA35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F86207E11D6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106CA35 second address: 106CA39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106CA39 second address: 106CA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C83E second address: 106C855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8620F4D3EDh 0x00000009 jnl 00007F8620F4D3E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C855 second address: 106C883 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F86207E11E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F86207E11DCh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C883 second address: 106C889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C889 second address: 106C88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C88D second address: 106C8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F8620F4D3F7h 0x0000000c jmp 00007F8620F4D3F2h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10727D0 second address: 10727D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10727D4 second address: 10727EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F8620F4D3E6h 0x0000000e jmp 00007F8620F4D3ECh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10727EE second address: 1072806 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F86207E11D6h 0x00000008 je 00007F86207E11D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F86207E11D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072806 second address: 1072824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072824 second address: 1072828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072828 second address: 1072839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F8620F4D3E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072839 second address: 1072846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 ja 00007F86207E11EFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107305F second address: 1073073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F8620F4D3E6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F8620F4D3E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080B67 second address: 1080B87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jne 00007F86207E11D6h 0x00000013 jne 00007F86207E11D6h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080B87 second address: 1080BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8620F4D3F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10912EE second address: 10912FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F86207E11D6h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093BB0 second address: 1093BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3F0h 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F8620F4D3E6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093BD1 second address: 1093BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F86207E11D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093BDD second address: 1093BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7299 second address: 10A72A9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F86207E11D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A72A9 second address: 10A72D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F8620F4D3E8h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jnc 00007F8620F4D3E6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A72D1 second address: 10A72D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A72D7 second address: 10A72F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8620F4D3EEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F8620F4D3E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A72F2 second address: 10A72F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB05 second address: 10ABB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB0D second address: 10ABB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB13 second address: 10ABB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F8620F4D3EEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAA40 second address: 10AAA58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F86207E11E2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAA58 second address: 10AAA7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8620F4D3EAh 0x00000007 jno 00007F8620F4D3ECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F8620F4D3FEh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAA7B second address: 10AAA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F86207E11D6h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AABDD second address: 10AABE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AABE6 second address: 10AABEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAE77 second address: 10AAE97 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8620F4D3F0h 0x0000000f jnp 00007F8620F4D3E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAE97 second address: 10AAE9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAE9D second address: 10AAEA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAEA3 second address: 10AAED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F86207E11E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F86207E11DFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAED1 second address: 10AAEDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8620F4D3E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AB843 second address: 10AB847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE712 second address: 10AE716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE716 second address: 10AE77C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F86207E11DBh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F86207E11D8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dx, C570h 0x0000002d push 00000004h 0x0000002f mov dx, si 0x00000032 call 00007F86207E11D9h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F86207E11E9h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE77C second address: 10AE786 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8620F4D3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AEA0D second address: 10AEA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F86207E11E2h 0x00000009 popad 0x0000000a push ecx 0x0000000b ja 00007F86207E11D6h 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnl 00007F86207E11D6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AEA38 second address: 10AEA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AEA3C second address: 10AEA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AEA42 second address: 10AEA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AEA48 second address: 10AEB0C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F86207E11D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push edx 0x0000000e add edx, dword ptr [ebp+122D2AA1h] 0x00000014 pop edx 0x00000015 push dword ptr [ebp+122D2567h] 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F86207E11D8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 mov edx, dword ptr [ebp+122D36ADh] 0x0000003b mov edx, dword ptr [ebp+122D2C79h] 0x00000041 call 00007F86207E11D9h 0x00000046 jmp 00007F86207E11E7h 0x0000004b push eax 0x0000004c jbe 00007F86207E11E4h 0x00000052 push ebx 0x00000053 jmp 00007F86207E11DCh 0x00000058 pop ebx 0x00000059 mov eax, dword ptr [esp+04h] 0x0000005d ja 00007F86207E11F8h 0x00000063 mov eax, dword ptr [eax] 0x00000065 push esi 0x00000066 pushad 0x00000067 pushad 0x00000068 popad 0x00000069 push ebx 0x0000006a pop ebx 0x0000006b popad 0x0000006c pop esi 0x0000006d mov dword ptr [esp+04h], eax 0x00000071 push eax 0x00000072 jnp 00007F86207E11DCh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A346 second address: F8A34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A34A second address: F8A365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F86207E11E2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A365 second address: F8A36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A36D second address: F8A383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F86207E11DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBDF6 second address: FCBE0D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8620F4D3E8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jno 00007F8620F4D3E6h 0x00000016 pop edx 0x00000017 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E1CB25 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FC1F4B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FD36FC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 104B90A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7396Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7396Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1755453214.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.000000000141A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.000000000141A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.00000000013D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1754419700.000000000141A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.000000000141A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFDF70 LdrInitializeThunk,0_2_00DFDF70
Source: file.exe, file.exe, 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vProgram Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://occupy-blushi.sbs/apistg100%Avira URL Cloudmalware
https://occupy-blushi.sbs/Y100%Avira URL Cloudmalware
https://occupy-blushi.sbs/api100%Avira URL Cloudmalware
https://occupy-blushi.sbs/Q100%Avira URL Cloudmalware
https://occupy-blushi.sbs/100%Avira URL Cloudmalware
https://occupy-blushi.sbs:443/api100%Avira URL Cloudmalware
https://occupy-blushi.sbs/apih100%Avira URL Cloudmalware
https://occupy-blushi.sbs/a100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
occupy-blushi.sbs
104.21.7.169
truetrue
    		unknown
    property-imper.sbs
    		unknown
    		unknownfalse
      		high
      frogs-severz.sbs
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://occupy-blushi.sbs/apitrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://property-imper.sbs:443/apifile.exe, 00000000.00000003.1754419700.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.00000000013F3000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://occupy-blushi.sbs/apistgfile.exe, 00000000.00000003.1754688414.000000000146D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://occupy-blushi.sbs/Yfile.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://occupy-blushi.sbs:443/apifile.exe, 00000000.00000003.1754419700.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.00000000013F3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://occupy-blushi.sbs/file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://occupy-blushi.sbs/apihfile.exe, 00000000.00000003.1754419700.0000000001409000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://occupy-blushi.sbs/Qfile.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://occupy-blushi.sbs/afile.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          104.21.7.169
          		occupy-blushi.sbsUnited States
          		13335CLOUDFLARENETUStrue

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1562489
          Start date and time:2024-11-25 16:20:08 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 2m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:1
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:file.exe
          Detection:MAL
          Classification:mal100.evad.winEXE@1/0@3/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: file.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          10:21:07API Interceptor2x Sleep call for process: file.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          occupy-blushi.sbsfile.exeGet hashmaliciousLummaC StealerBrowse
          • 172.67.187.240
          file.exeGet hashmaliciousUnknownBrowse
          • 172.67.187.240
          file.exeGet hashmaliciousLummaC StealerBrowse
          • 193.143.1.19

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CLOUDFLARENETUSRICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
          • 104.26.12.205
          Rooming list.jsGet hashmaliciousRemcosBrowse
          • 104.21.84.67
          file.exeGet hashmaliciousLummaC StealerBrowse
          • 172.67.187.240
          file.exeGet hashmaliciousUnknownBrowse
          • 172.67.187.240
          Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docxGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          https://vectaire.doclawfederal.com/uDLtT/Get hashmaliciousHTMLPhisherBrowse
          • 172.67.201.42
          pJKrbGSI.ps1Get hashmaliciousLummaCBrowse
          • 172.67.218.163
          https://pastebin.com/raw/0v6VhvpbGet hashmaliciousUnknownBrowse
          • 104.20.4.235
          DJ5PhUwOsM.exeGet hashmaliciousAgentTesla, XWormBrowse
          • 104.26.13.205
          https://docs.zoom.us/doc/5mbYcD6lRBK5O3HcDEXhFA?from=emailGet hashmaliciousUnknownBrowse
          • 172.67.201.42

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
          • 104.21.7.169
          file.exeGet hashmaliciousUnknownBrowse
          • 104.21.7.169
          pJKrbGSI.ps1Get hashmaliciousLummaCBrowse
          • 104.21.7.169
          Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
          • 104.21.7.169
          PVJ6cLZQ0T.xlsGet hashmaliciousUnknownBrowse
          • 104.21.7.169
          AnuhIsNqBl.exeGet hashmaliciousLummaCBrowse
          • 104.21.7.169
          Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
          • 104.21.7.169
          oGjfUw6bZu.exeGet hashmaliciousLummaCBrowse
          • 104.21.7.169
          AnuhIsNqBl.exeGet hashmaliciousLummaCBrowse
          • 104.21.7.169
          sjth8TLl4P.exeGet hashmaliciousLummaCBrowse
          • 104.21.7.169

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.947937763515621
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:file.exe
          File size:1'857'024 bytes
          MD5:3e4c006936e63898c8bd8c4aba82db63
          SHA1:3dd0d90d652c98b8fdd2faaf926f3a4c533c28ba
          SHA256:fbd037ce912d8db1d1d6f4a899a9b296666db15bc3465d8262cad706f8e30124
          SHA512:09f231009c7b390d4d403c3449c8ff5dcb9555eb5513dab5612c557fd51d82e5a1162eeb1c6a9e80897c671386b53b012fb10881082c255998a7023040637745
          SSDEEP:49152:PrXcHzJtvI2RuB084kdd5/T9yf0rD23QKjPcMExeebwZ:Pr6z3vI2E4kdnT9yf0rarjInbu
          TLSH:018533461E7403EFE488B7BA575F09354B7162B00CAA29756E8B5312DEB3D920F79332
          File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................I...........@...........................I...........@.................................\...p..

          File Icon

          Icon Hash:90cececece8e8eb0

          Static PE Info

          General

          Entrypoint:0x89a000
          Entrypoint Section:.taggant
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:2eabe9054cad5152567f0699947a2c5b

          Entrypoint Preview

          Instruction
          jmp 00007F8620FBA12Ah
          sysenter
          sbb al, 00h
          add byte ptr [eax], al
          add byte ptr [eax], al
          jmp 00007F8620FBC125h
          add byte ptr [edx], al
          or al, byte ptr [eax]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], dh
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [esi], al
          add byte ptr [eax], 00000000h
          add byte ptr [eax], al
          add byte ptr [eax], al
          adc byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add dword ptr [edx], ecx
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          adc byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add ecx, dword ptr [edx]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add dword ptr [eax+00000000h], eax
          add byte ptr [eax], al
          adc byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add dword ptr [edx], ecx
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          xor byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax+eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [ecx], al
          add byte ptr [eax], 00000000h
          add byte ptr [eax], al
          add byte ptr [eax], al
          adc byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add eax, 0000000Ah
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax+0Ah], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          or byte ptr [eax+00000000h], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          0x10000x560000x26200ebab22e106c20f8a3f8af1e56691d6c6False0.9992443647540984data7.9801189215523864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x570000x2b00x20047aba858746817065f2d71b6612f00e6False0.798828125data6.021266387897709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          0x590000x2a40000x200817674f682fb61df2a6257eb45d2f56eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          nimjfmzf0x2fd0000x19c0000x19b8001c3e1fa6b9de917d1af8db14c7f8b608False0.9941631701852977data7.953320482667518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          hhcykgyz0x4990000x10000x40001ee7cbfdc9b48b8f1f00392978dc112False0.7783203125data6.090686837782648IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .taggant0x49a0000x30000x22008984385cb7785b2559213aff46ad2218False0.05652573529411765DOS executable (COM)0.6504968447755347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_MANIFEST0x4984a80x256ASCII text, with CRLF line terminators0.5100334448160535

          Imports

          DLLImport
          kernel32.dlllstrcpy

          Network Behavior

          Suricata IDS Alerts

          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2024-11-25T16:21:06.705885+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.7.169443TCP
          2024-11-25T16:21:07.729409+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.7.169443TCP
          2024-11-25T16:21:07.729409+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.7.169443TCP
          2024-11-25T16:21:08.561995+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.7.169443TCP

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Nov 25, 2024 16:21:05.367860079 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:05.367892027 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:05.367994070 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:05.416450024 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:05.416464090 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:06.705676079 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:06.705884933 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:06.710335970 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:06.710380077 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:06.710628033 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:06.752156973 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:06.762391090 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:06.762475967 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:06.762502909 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:07.729412079 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:07.729537964 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:07.729598999 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:07.731375933 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:07.731396914 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:07.731408119 CET49730443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:07.731416941 CET44349730104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:07.780246019 CET49731443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:07.780328989 CET44349731104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:07.780428886 CET49731443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:07.784687996 CET49731443192.168.2.4104.21.7.169
          Nov 25, 2024 16:21:07.784729004 CET44349731104.21.7.169192.168.2.4
          Nov 25, 2024 16:21:08.561995029 CET49731443192.168.2.4104.21.7.169

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Nov 25, 2024 16:21:04.596411943 CET6185953192.168.2.41.1.1.1
          Nov 25, 2024 16:21:04.827194929 CET53618591.1.1.1192.168.2.4
          Nov 25, 2024 16:21:04.857182980 CET5706353192.168.2.41.1.1.1
          Nov 25, 2024 16:21:05.086047888 CET53570631.1.1.1192.168.2.4
          Nov 25, 2024 16:21:05.088205099 CET5540353192.168.2.41.1.1.1
          Nov 25, 2024 16:21:05.329493999 CET53554031.1.1.1192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Nov 25, 2024 16:21:04.596411943 CET192.168.2.41.1.1.10x61c0Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false
          Nov 25, 2024 16:21:04.857182980 CET192.168.2.41.1.1.10x7e7cStandard query (0)frogs-severz.sbsA (IP address)IN (0x0001)false
          Nov 25, 2024 16:21:05.088205099 CET192.168.2.41.1.1.10xcf1aStandard query (0)occupy-blushi.sbsA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Nov 25, 2024 16:21:04.827194929 CET1.1.1.1192.168.2.40x61c0Name error (3)property-imper.sbsnonenoneA (IP address)IN (0x0001)false
          Nov 25, 2024 16:21:05.086047888 CET1.1.1.1192.168.2.40x7e7cName error (3)frogs-severz.sbsnonenoneA (IP address)IN (0x0001)false
          Nov 25, 2024 16:21:05.329493999 CET1.1.1.1192.168.2.40xcf1aNo error (0)occupy-blushi.sbs104.21.7.169A (IP address)IN (0x0001)false
          Nov 25, 2024 16:21:05.329493999 CET1.1.1.1192.168.2.40xcf1aNo error (0)occupy-blushi.sbs172.67.187.240A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • occupy-blushi.sbs

          HTTPS Proxied Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.449730104.21.7.1694437280C:\Users\user\Desktop\file.exe
          TimestampBytes transferredDirectionData
          2024-11-25 15:21:06 UTC264OUTPOST /api HTTP/1.1
          Connection: Keep-Alive
          Content-Type: application/x-www-form-urlencoded
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
          Content-Length: 8
          Host: occupy-blushi.sbs
          2024-11-25 15:21:06 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
          Data Ascii: act=life
          2024-11-25 15:21:07 UTC1020INHTTP/1.1 200 OK
          Date: Mon, 25 Nov 2024 15:21:07 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: close
          Set-Cookie: PHPSESSID=ijai95jr1gkk4u7b9emk05po2d; expires=Fri, 21-Mar-2025 09:07:46 GMT; Max-Age=9999999; path=/
          Expires: Thu, 19 Nov 1981 08:52:00 GMT
          Cache-Control: no-store, no-cache, must-revalidate
          Pragma: no-cache
          cf-cache-status: DYNAMIC
          vary: accept-encoding
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HgI%2BqvOZG5AD94YIEMQuiOOhfz3VMbVxT%2BRt91mWAsznBsqEqXWl4qxpRQ60DROGjwRTryrPsQlNwHdeP%2BLgm1E4cVdl6%2BNo2g1dO6vxPELTax%2B1OYlB4bT4hIDaIWPNvEpg0w%3D%3D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 8e82a06abbf80fa8-EWR
          alt-svc: h3=":443"; ma=86400
          server-timing: cfL4;desc="?proto=TCP&rtt=2562&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1877813&cwnd=252&unsent_bytes=0&cid=79eedf8db1c0b9a9&ts=1044&x=0"
          2024-11-25 15:21:07 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
          Data Ascii: 2ok
          2024-11-25 15:21:07 UTC5INData Raw: 30 0d 0a 0d 0a
          Data Ascii: 0


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:10:21:02
          Start date:25/11/2024
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\file.exe"
          Imagebase:0xdc0000
          File size:1'857'024 bytes
          MD5 hash:3E4C006936E63898C8BD8C4ABA82DB63
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.2%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:67%
            Total number of Nodes:230
            Total number of Limit Nodes:13
            execution_graph 6913 e002c0 6914 e002e0 6913->6914 6914->6914 6915 e0041e 6914->6915 6917 dfdf70 LdrInitializeThunk 6914->6917 6917->6915 6928 e00a00 6930 e00a30 6928->6930 6929 e00b2e 6932 e00a7e 6930->6932 6934 dfdf70 LdrInitializeThunk 6930->6934 6932->6929 6935 dfdf70 LdrInitializeThunk 6932->6935 6934->6932 6935->6929 6712 dce0d8 6713 dce100 6712->6713 6715 dce16e 6713->6715 6728 dfdf70 LdrInitializeThunk 6713->6728 6717 dce22e 6715->6717 6729 dfdf70 LdrInitializeThunk 6715->6729 6730 de5e90 6717->6730 6719 dce29d 6738 de6190 6719->6738 6721 dce2bd 6748 de7e20 6721->6748 6725 dce2e6 6768 de8c90 6725->6768 6727 dce2ef 6728->6715 6729->6717 6737 de5f30 6730->6737 6731 de6026 6771 de1790 6731->6771 6732 de60b5 6735 de1790 2 API calls 6732->6735 6734 de6020 6734->6719 6735->6734 6737->6731 6737->6732 6737->6734 6777 e00f60 6737->6777 6739 de619e 6738->6739 6810 e00b70 6739->6810 6741 e00f60 2 API calls 6744 de5fe0 6741->6744 6742 de6026 6747 de1790 2 API calls 6742->6747 6743 de60b5 6746 de1790 2 API calls 6743->6746 6744->6741 6744->6742 6744->6743 6745 de6020 6744->6745 6745->6721 6746->6745 6747->6743 6749 de80a0 6748->6749 6752 de7e4c 6748->6752 6757 dce2dd 6748->6757 6758 de80d7 6748->6758 6815 dfded0 6749->6815 6750 e00f60 2 API calls 6750->6752 6752->6749 6752->6750 6752->6752 6753 e00b70 LdrInitializeThunk 6752->6753 6752->6757 6752->6758 6753->6752 6754 e00b70 LdrInitializeThunk 6754->6758 6760 de8770 6757->6760 6758->6754 6758->6757 6759 dfdf70 LdrInitializeThunk 6758->6759 6819 e00c80 6758->6819 6827 e01580 6758->6827 6759->6758 6761 de87a0 6760->6761 6762 de882e 6761->6762 6839 dfdf70 LdrInitializeThunk 6761->6839 6764 dfb7e0 RtlAllocateHeap 6762->6764 6767 de895e 6762->6767 6765 de88b1 6764->6765 6765->6767 6840 dfdf70 LdrInitializeThunk 6765->6840 6767->6725 6841 de8cb0 6768->6841 6770 de8c99 6770->6727 6776 de17a0 6771->6776 6772 de183e 6772->6732 6774 de1861 6774->6772 6789 de3d70 6774->6789 6776->6772 6776->6774 6785 e00610 6776->6785 6779 e00f90 6777->6779 6778 e00fde 6780 dfb7e0 RtlAllocateHeap 6778->6780 6784 e010ae 6778->6784 6779->6778 6808 dfdf70 LdrInitializeThunk 6779->6808 6782 e0101f 6780->6782 6782->6784 6809 dfdf70 LdrInitializeThunk 6782->6809 6784->6737 6784->6784 6786 e00630 6785->6786 6787 e0075e 6786->6787 6801 dfdf70 LdrInitializeThunk 6786->6801 6787->6774 6790 e00480 LdrInitializeThunk 6789->6790 6791 de3db0 6790->6791 6797 de44c3 6791->6797 6802 dfb7e0 6791->6802 6794 de3dee 6800 de3e7c 6794->6800 6805 dfdf70 LdrInitializeThunk 6794->6805 6795 de4427 6795->6797 6807 dfdf70 LdrInitializeThunk 6795->6807 6796 dfb7e0 RtlAllocateHeap 6796->6800 6797->6772 6800->6795 6800->6796 6806 dfdf70 LdrInitializeThunk 6800->6806 6801->6787 6803 dfb800 6802->6803 6803->6803 6804 dfb83f RtlAllocateHeap 6803->6804 6804->6794 6805->6794 6806->6800 6807->6795 6808->6778 6809->6784 6811 e00b90 6810->6811 6813 e00c4f 6811->6813 6814 dfdf70 LdrInitializeThunk 6811->6814 6813->6744 6814->6813 6816 dfdf3e 6815->6816 6818 dfdeea 6815->6818 6817 dfb7e0 RtlAllocateHeap 6816->6817 6817->6818 6818->6758 6820 e00cb0 6819->6820 6821 e00cfe 6820->6821 6835 dfdf70 LdrInitializeThunk 6820->6835 6823 dfb7e0 RtlAllocateHeap 6821->6823 6826 e00e0f 6821->6826 6824 e00d8b 6823->6824 6824->6826 6836 dfdf70 LdrInitializeThunk 6824->6836 6826->6758 6826->6826 6828 e01591 6827->6828 6829 e0163e 6828->6829 6837 dfdf70 LdrInitializeThunk 6828->6837 6831 dfb7e0 RtlAllocateHeap 6829->6831 6833 e017de 6829->6833 6832 e016ae 6831->6832 6832->6833 6838 dfdf70 LdrInitializeThunk 6832->6838 6833->6758 6835->6821 6836->6826 6837->6829 6838->6833 6839->6762 6840->6767 6842 de8d10 6841->6842 6842->6842 6851 dfb8e0 6842->6851 6844 de8d6d 6844->6770 6846 de8d45 6846->6844 6849 de8e66 6846->6849 6859 dfbb20 6846->6859 6863 dfc040 6846->6863 6850 de8ece 6849->6850 6871 dfbfa0 6849->6871 6850->6770 6852 dfb900 6851->6852 6853 dfb93e 6852->6853 6875 dfdf70 LdrInitializeThunk 6852->6875 6854 dfb7e0 RtlAllocateHeap 6853->6854 6858 dfba1f 6853->6858 6856 dfb9c5 6854->6856 6856->6858 6876 dfdf70 LdrInitializeThunk 6856->6876 6858->6846 6860 dfbbce 6859->6860 6861 dfbb31 6859->6861 6860->6846 6861->6860 6877 dfdf70 LdrInitializeThunk 6861->6877 6864 dfc090 6863->6864 6870 dfc0d8 6864->6870 6878 dfdf70 LdrInitializeThunk 6864->6878 6865 dfc73e 6865->6846 6867 dfc6cf 6867->6865 6879 dfdf70 LdrInitializeThunk 6867->6879 6869 dfdf70 LdrInitializeThunk 6869->6870 6870->6865 6870->6867 6870->6869 6873 dfbfc0 6871->6873 6872 dfc00e 6872->6849 6873->6872 6880 dfdf70 LdrInitializeThunk 6873->6880 6875->6853 6876->6858 6877->6860 6878->6870 6879->6865 6880->6872 6905 dce970 6906 dce8b8 6905->6906 6908 dce948 6906->6908 6909 dfdf70 LdrInitializeThunk 6906->6909 6908->6908 6909->6908 6910 dd9130 6911 dfb8e0 2 API calls 6910->6911 6912 dd9158 6911->6912 6941 dddb30 6942 dddb70 6941->6942 6945 dcb210 6942->6945 6946 dcb2a0 6945->6946 6947 dcb2d6 6946->6947 6948 dfded0 RtlAllocateHeap 6946->6948 6948->6946 6706 dcceb3 CoInitializeSecurity 6707 dcd7d3 CoUninitialize 6708 dcd7da 6707->6708 6900 dcdc33 6902 dcdcd0 6900->6902 6901 dcdd4e 6902->6901 6904 dfdf70 LdrInitializeThunk 6902->6904 6904->6901 6892 dce88f 6893 dce88e 6892->6893 6893->6892 6895 dce89c 6893->6895 6898 dfdf70 LdrInitializeThunk 6893->6898 6897 dce948 6895->6897 6899 dfdf70 LdrInitializeThunk 6895->6899 6898->6895 6899->6897 6949 dcc32b 6950 dfded0 RtlAllocateHeap 6949->6950 6951 dcc338 6950->6951 6639 dccf05 6640 dccf20 6639->6640 6645 df9030 6640->6645 6642 dccf7a 6643 df9030 5 API calls 6642->6643 6644 dcd3ca 6643->6644 6646 df9090 6645->6646 6647 df91b1 SysAllocString 6646->6647 6651 df966a 6646->6651 6649 df91df 6647->6649 6648 df969c GetVolumeInformationW 6653 df96ba 6648->6653 6650 df91ea CoSetProxyBlanket 6649->6650 6649->6651 6650->6651 6654 df920a 6650->6654 6651->6648 6652 df9658 SysFreeString SysFreeString 6652->6651 6653->6642 6654->6652 6655 dc89a0 6657 dc89af 6655->6657 6656 dc8cb3 ExitProcess 6657->6656 6658 dc8cae 6657->6658 6663 dcce80 CoInitializeEx 6657->6663 6664 dfdeb0 6658->6664 6667 dff460 6664->6667 6666 dfdeb5 FreeLibrary 6666->6656 6668 dff469 6667->6668 6668->6666 6669 de1960 6670 de19d8 6669->6670 6675 dd9530 6670->6675 6672 de1a84 6673 dd9530 LdrInitializeThunk 6672->6673 6674 de1b29 6673->6674 6676 dd9560 6675->6676 6687 e00480 6676->6687 6678 dd9756 6684 dd9783 6678->6684 6686 dd96ca 6678->6686 6691 e00880 6678->6691 6679 dd974b 6697 e007b0 6679->6697 6680 dd962e 6680->6678 6680->6679 6681 e00480 LdrInitializeThunk 6680->6681 6680->6684 6680->6686 6681->6680 6684->6686 6701 dfdf70 LdrInitializeThunk 6684->6701 6686->6672 6688 e004a0 6687->6688 6689 e005be 6688->6689 6702 dfdf70 LdrInitializeThunk 6688->6702 6689->6680 6692 e008b0 6691->6692 6695 e008fe 6692->6695 6703 dfdf70 LdrInitializeThunk 6692->6703 6693 e009ae 6693->6684 6695->6693 6704 dfdf70 LdrInitializeThunk 6695->6704 6699 e007e0 6697->6699 6698 e0082e 6698->6678 6699->6698 6705 dfdf70 LdrInitializeThunk 6699->6705 6701->6686 6702->6689 6703->6695 6704->6693 6705->6698 6709 dfb7e0 6710 dfb800 6709->6710 6710->6710 6711 dfb83f RtlAllocateHeap 6710->6711 6881 dfbce0 6882 dfbd5a 6881->6882 6883 dfbcf2 6881->6883 6883->6882 6885 dfbd52 6883->6885 6889 dfdf70 LdrInitializeThunk 6883->6889 6884 dfbede 6884->6882 6891 dfdf70 LdrInitializeThunk 6884->6891 6885->6884 6885->6885 6890 dfdf70 LdrInitializeThunk 6885->6890 6889->6885 6890->6884 6891->6882

            Executed Functions

            Function 00DF9030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 df9030-df9089 1 df9090-df90c6 0->1 1->1 2 df90c8-df90e4 1->2 4 df90e6 2->4 5 df90f1-df913f 2->5 4->5 7 df968c-df96b8 call dff9a0 GetVolumeInformationW 5->7 8 df9145-df9177 5->8 13 df96bc-df96df call de0650 7->13 14 df96ba 7->14 9 df9180-df91af 8->9 9->9 11 df91b1-df91e4 SysAllocString 9->11 18 df91ea-df9204 CoSetProxyBlanket 11->18 19 df9674-df9688 11->19 20 df96e0-df96e8 13->20 14->13 21 df966a-df9670 18->21 22 df920a-df9225 18->22 19->7 20->20 23 df96ea-df96ec 20->23 21->19 25 df9230-df9262 22->25 26 df96fe-df972d call de0650 23->26 27 df96ee-df96fb call dc8330 23->27 25->25 28 df9264-df92df 25->28 36 df9730-df9738 26->36 27->26 35 df92e0-df930b 28->35 35->35 37 df930d-df933d 35->37 36->36 38 df973a-df973c 36->38 49 df9658-df9668 SysFreeString * 2 37->49 50 df9343-df9365 37->50 39 df974e-df977d call de0650 38->39 40 df973e-df974b call dc8330 38->40 46 df9780-df9788 39->46 40->39 46->46 48 df978a-df978c 46->48 51 df979e-df97cb call de0650 48->51 52 df978e-df979b call dc8330 48->52 49->21 57 df964b-df9655 50->57 58 df936b-df936e 50->58 61 df97d0-df97d8 51->61 52->51 57->49 58->57 60 df9374-df9379 58->60 60->57 63 df937f-df93cf 60->63 61->61 64 df97da-df97dc 61->64 70 df93d0-df9416 63->70 65 df97ee-df97f5 64->65 66 df97de-df97eb call dc8330 64->66 66->65 70->70 71 df9418-df942d 70->71 72 df9431-df9433 71->72 73 df9439-df943f 72->73 74 df9636-df9647 72->74 73->74 75 df9445-df9452 73->75 74->57 76 df948d 75->76 77 df9454-df9459 75->77 80 df948f-df94b7 call dc82b0 76->80 79 df946c-df9470 77->79 82 df9472-df947b 79->82 83 df9460 79->83 89 df94bd-df94cb 80->89 90 df95e8-df95f9 80->90 87 df947d-df9480 82->87 88 df9482-df9486 82->88 86 df9461-df946a 83->86 86->79 86->80 87->86 88->86 91 df9488-df948b 88->91 89->90 92 df94d1-df94d5 89->92 93 df95fb 90->93 94 df9600-df960c 90->94 91->86 95 df94e0-df94ea 92->95 93->94 96 df960e 94->96 97 df9613-df9633 call dc82e0 call dc82c0 94->97 98 df94ec-df94f1 95->98 99 df9500-df9506 95->99 96->97 97->74 101 df9590-df9596 98->101 102 df9508-df950b 99->102 103 df9525-df9533 99->103 109 df9598-df959e 101->109 102->103 105 df950d-df9523 102->105 106 df95aa-df95b3 103->106 107 df9535-df9538 103->107 105->101 110 df95b9-df95bc 106->110 111 df95b5-df95b7 106->111 107->106 112 df953a-df9581 107->112 109->90 114 df95a0-df95a2 109->114 115 df95be-df95e2 110->115 116 df95e4-df95e6 110->116 111->109 112->101 114->95 117 df95a8 114->117 115->101 116->101 117->90
            APIs
            • SysAllocString.OLEAUT32(13C511C2), ref: 00DF91B7
            • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00DF91FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: AllocBlanketProxyString
            • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
            • API String ID: 900851650-4011188741
            • Opcode ID: 73d20c16e1536381449d6a491d940890da3d15eaf159ea973759add8f9a17c93
            • Instruction ID: efd0c3726eb986bf3de3b7793f315fedf5ebfe1c753b831e984fee17ad678b27
            • Opcode Fuzzy Hash: 73d20c16e1536381449d6a491d940890da3d15eaf159ea973759add8f9a17c93
            • Instruction Fuzzy Hash: EE2252B19083019BE320CF24C891B6BFBE6EF95314F198A1CF6959B2C1D774D905CBA2
            Function 00DCCF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 118 dccf05-dccf12 119 dccf20-dccf5c 118->119 119->119 120 dccf5e-dccfa5 call dc8930 call df9030 119->120 125 dccfb0-dccffc 120->125 125->125 126 dccffe-dcd06b 125->126 127 dcd070-dcd097 126->127 127->127 128 dcd099-dcd0aa 127->128 129 dcd0ac-dcd0b3 128->129 130 dcd0cb-dcd0d3 128->130 131 dcd0c0-dcd0c9 129->131 132 dcd0eb-dcd0f8 130->132 133 dcd0d5-dcd0d6 130->133 131->130 131->131 135 dcd0fa-dcd101 132->135 136 dcd11b-dcd123 132->136 134 dcd0e0-dcd0e9 133->134 134->132 134->134 137 dcd110-dcd119 135->137 138 dcd13b-dcd266 136->138 139 dcd125-dcd126 136->139 137->136 137->137 141 dcd270-dcd2ce 138->141 140 dcd130-dcd139 139->140 140->138 140->140 141->141 142 dcd2d0-dcd2ff 141->142 143 dcd300-dcd31a 142->143 143->143 144 dcd31c-dcd36b call dcb960 143->144 147 dcd370-dcd3ac 144->147 147->147 148 dcd3ae-dcd3c5 call dc8930 call df9030 147->148 152 dcd3ca-dcd3eb 148->152 153 dcd3f0-dcd43c 152->153 153->153 154 dcd43e-dcd4ab 153->154 155 dcd4b0-dcd4d7 154->155 155->155 156 dcd4d9-dcd4ea 155->156 157 dcd4ec-dcd4ef 156->157 158 dcd4fb-dcd503 156->158 159 dcd4f0-dcd4f9 157->159 160 dcd51b-dcd528 158->160 161 dcd505-dcd506 158->161 159->158 159->159 162 dcd52a-dcd531 160->162 163 dcd54b-dcd557 160->163 164 dcd510-dcd519 161->164 165 dcd540-dcd549 162->165 166 dcd559-dcd55a 163->166 167 dcd56b-dcd696 163->167 164->160 164->164 165->163 165->165 168 dcd560-dcd569 166->168 169 dcd6a0-dcd6fe 167->169 168->167 168->168 169->169 170 dcd700-dcd72f 169->170 171 dcd730-dcd74a 170->171 171->171 172 dcd74c-dcd791 call dcb960 171->172
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: ()$+S7U$,_"Q$0C%E$5F7EAD8FBF4AB610D7CBBD6DF28D3732$7W"i$;[*]$<KuM$N3F5$S7HI$occupy-blushi.sbs$y?O1$c]e$gy
            • API String ID: 0-231388982
            • Opcode ID: 020e893ffd64b1ab4b32686b037d690b6bf7c429ff606045d40dfe8c249fe2be
            • Instruction ID: 763a5ebac373fd07dd7fb32e403c7fb346ee28b876883322bca02f8fa2985685
            • Opcode Fuzzy Hash: 020e893ffd64b1ab4b32686b037d690b6bf7c429ff606045d40dfe8c249fe2be
            • Instruction Fuzzy Hash: C51203B15483C18ED3358F25C495BEFBBE2EBD2304F18896CC4DA5B256C775090ACBA2
            Function 00DC89A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 203 dc89a0-dc89b1 call dfcb70 206 dc89b7-dc89cf call df6620 203->206 207 dc8cb3-dc8cbb ExitProcess 203->207 211 dc8cae call dfdeb0 206->211 212 dc89d5-dc89fb 206->212 211->207 216 dc89fd-dc89ff 212->216 217 dc8a01-dc8bda 212->217 216->217 219 dc8c8a-dc8ca2 call dc9ed0 217->219 220 dc8be0-dc8c50 217->220 219->211 225 dc8ca4 call dcce80 219->225 221 dc8c56-dc8c88 220->221 222 dc8c52-dc8c54 220->222 221->219 222->221 227 dc8ca9 call dcb930 225->227 227->211
            APIs
            • ExitProcess.KERNEL32(00000000), ref: 00DC8CB6
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 2d10c7a0f4fba6371ca8c8c2b8bb5cfbeb7eeb025cb5bf7b1f7afaa302f6e3e3
            • Instruction ID: 98f5fb12c52960e38963d0bc3fe89771f17451f901675815cb7612cee654678b
            • Opcode Fuzzy Hash: 2d10c7a0f4fba6371ca8c8c2b8bb5cfbeb7eeb025cb5bf7b1f7afaa302f6e3e3
            • Instruction Fuzzy Hash: 22711373B547050BC708DEBAC99276AFAD6ABC8310F0DD83D6888D7390EEB89C054695
            Function 00DFDF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 dfdf70-dfdfa2 LdrInitializeThunk
            APIs
            • LdrInitializeThunk.NTDLL(00DFBA46,?,00000010,00000005,00000000,?,00000000,?,?,00DD9158,?,?,00DD19B4), ref: 00DFDF9E
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
            • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
            • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
            • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
            Function 00DFB7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 229 dfb7e0-dfb7ff 230 dfb800-dfb83d 229->230 230->230 231 dfb83f-dfb85b RtlAllocateHeap 230->231
            APIs
            • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00DFB84E
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: c1e261dbece4f7e4d49ba9027099408bb5b4d062cef65183473a60b5b45e13e2
            • Instruction ID: 102a3aba73b8e54c4b99f0094dc97bb0aba4fcd556ae6b2a0b4b78ea3b98109c
            • Opcode Fuzzy Hash: c1e261dbece4f7e4d49ba9027099408bb5b4d062cef65183473a60b5b45e13e2
            • Instruction Fuzzy Hash: 77019933A457080BC300AFBCDCD469ABB96EFD9324F2A463DE5D4873D0DA31990AC295
            Function 00DCCE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 232 dcce80-dcceb0 CoInitializeEx
            APIs
            • CoInitializeEx.COMBASE(00000000,00000002), ref: 00DCCE94
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: Initialize
            • String ID:
            • API String ID: 2538663250-0
            • Opcode ID: c1de7bc4aa1c3f26e2cd5a52feb9b9796074b3da788ceb663cbb059ee04454c8
            • Instruction ID: 2fd8aa6b550348246aec34b785cd20eea843d61fa863758872f11b76c31d8a53
            • Opcode Fuzzy Hash: c1de7bc4aa1c3f26e2cd5a52feb9b9796074b3da788ceb663cbb059ee04454c8
            • Instruction Fuzzy Hash: C6D023213D02487BE124B71DEC57F27325DC703754F440626B772DA6C2DD52B929C065
            Function 00DCCEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 233 dcceb3-dccee2 CoInitializeSecurity
            APIs
            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00DCCEC6
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeSecurity
            • String ID:
            • API String ID: 640775948-0
            • Opcode ID: a2db011fc4e73690088a093cbca9276f70240f01beec86158058761c80901233
            • Instruction ID: 407197606f03ad606493af6368352e2440124782b21f381f0def737f5f608af7
            • Opcode Fuzzy Hash: a2db011fc4e73690088a093cbca9276f70240f01beec86158058761c80901233
            • Instruction Fuzzy Hash: 00D012313D53417AFD7486489C53F1022058705F24F340B08B332FE2D1C9D27195850C
            Function 00DCD7D3 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 265 dcd7d3-dcd7d8 CoUninitialize 266 dcd7da-dcd7e1 265->266
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: Uninitialize
            • String ID:
            • API String ID: 3861434553-0
            • Opcode ID: 40768528dec6b0df0e3a12917f320d54b8dc0c90cc84864b7351440189def9c0
            • Instruction ID: f8c8045966430e37086e292212e110a97522949cbefeadd2c6987a867e9ef7ed
            • Opcode Fuzzy Hash: 40768528dec6b0df0e3a12917f320d54b8dc0c90cc84864b7351440189def9c0
            • Instruction Fuzzy Hash: 4BA0113BB00008888B8000A8B8020EEF320E28003AB0002B3C328C2800EA22A2288280

            Non-executed Functions

            Function 00DE3D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
            • API String ID: 1279760036-1524723224
            • Opcode ID: c8b6e2dc8747a805ec598caf9e69a97e5a1b2d60ca69f7f59ee36502efad151c
            • Instruction ID: aafb7ce01ca7b2ad49a9b0a895e51e9dbf3f38b65b96b65fbe17a86491862d48
            • Opcode Fuzzy Hash: c8b6e2dc8747a805ec598caf9e69a97e5a1b2d60ca69f7f59ee36502efad151c
            • Instruction Fuzzy Hash: EF229BB160C3C08FD321AF29C4943AEBBE1AB95314F18496DE5D987392D7B6C845CB63
            Function 00DC94D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
            • API String ID: 0-1787199350
            • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
            • Instruction ID: 328543270e4346dce8eb31eb0b757d977196960b1759f83bca6ddc8d26d72af8
            • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
            • Instruction Fuzzy Hash: 6BB1C77010C3818FD3158F29846476BFFE1AF97754F18496CE4D58B392D779890ACBA2
            Function 00DC98F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 5F7EAD8FBF4AB610D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
            • API String ID: 0-1685103783
            • Opcode ID: 31b9525e778b896dc44bce19f0f3cfe0a562c91e083fc74e17d2cbddf74271c6
            • Instruction ID: ff8727d9aa552f0e79a0c938b16b4dd85239ab5b97818d1c2f7db0b2d3e861cf
            • Opcode Fuzzy Hash: 31b9525e778b896dc44bce19f0f3cfe0a562c91e083fc74e17d2cbddf74271c6
            • Instruction Fuzzy Hash: 7FE16A72A483508BD328CF35C85176BFBE6EBD1314F198A2DE5E58B391DA34C805CB52
            Function 00F8DD4C Relevance: 11.6, Strings: 8, Instructions: 1648COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 6sq_$EHo$`HZ]$o_'$zfEs$~1k$5{^$:W
            • API String ID: 0-4150171472
            • Opcode ID: 21afc753b20c3d30bd0b280b45cb2a1f5aa76c5d093b93a1502ff3cdce173183
            • Instruction ID: f717b1fae5d1b508fadf6ee53c7a477f9b361962d0bdc2ff51460ea19c32c538
            • Opcode Fuzzy Hash: 21afc753b20c3d30bd0b280b45cb2a1f5aa76c5d093b93a1502ff3cdce173183
            • Instruction Fuzzy Hash: BAB234F360C3049FE3046E29EC8567AFBE9EF94720F1A893DE6C487744EA3558418796
            Function 00F91428 Relevance: 10.4, Strings: 7, Instructions: 1699COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: +fn$@Ck$@Po}$L}~$w`>?$7~m$u
            • API String ID: 0-2595637549
            • Opcode ID: 13ed7209bc422d9058004a58ea342c717e578c64785571a1d39377d2e488412f
            • Instruction ID: a34f245cfa9cc315f55f8a8ab9b4d12fe85b8e599117512943e0c4445f115393
            • Opcode Fuzzy Hash: 13ed7209bc422d9058004a58ea342c717e578c64785571a1d39377d2e488412f
            • Instruction Fuzzy Hash: 77B229F350C2049FE304AE2DDC8567ABBE9EF94320F1A4A3DEAC4C7744E63599058697
            Function 00DDDB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
            • API String ID: 0-3274379026
            • Opcode ID: 35ffcf1ec5ed9fe082177a6af5eba0c1663cbdd5e68e9887a745aab3b3a10f17
            • Instruction ID: 88e73ac5ea1266944daa8f7579b95217492ad29a1ce86b79afb69c7fba1c7055
            • Opcode Fuzzy Hash: 35ffcf1ec5ed9fe082177a6af5eba0c1663cbdd5e68e9887a745aab3b3a10f17
            • Instruction Fuzzy Hash: 9E5146715283518BD720CF29C8902ABB7F2FFC6311F18994DE8C19B355EB74890AC792
            Function 00F8C2E2 Relevance: 6.6, Strings: 4, Instructions: 1602COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: zyE$jf4$qw|$k~u
            • API String ID: 0-746827503
            • Opcode ID: 68b9bc2da58e5ddc019dd00d6d19c2446bca76bbd8c661a6eeacaf2ba81c9b7d
            • Instruction ID: 76df85b2985d6d61c958683f77323817b8b4c8cb9d80d08867a1cde2c68f5bee
            • Opcode Fuzzy Hash: 68b9bc2da58e5ddc019dd00d6d19c2446bca76bbd8c661a6eeacaf2ba81c9b7d
            • Instruction Fuzzy Hash: 8BB2F5F3A0C204AFE3146E2DDC8567AFBE9EF94720F164A2DEAC5D3744E63558008697
            Function 00DCE35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: Lk$U\$Zb$occupy-blushi.sbs$r
            • API String ID: 0-2705259042
            • Opcode ID: c671bd341f7e0feb3bb35179fe65ef7025d1ae08e78efba91c40e1754315f370
            • Instruction ID: 85f1dd9b93d0ccbcf535baabdfb34df94120583dc8b13356afe37eb344a5a6b5
            • Opcode Fuzzy Hash: c671bd341f7e0feb3bb35179fe65ef7025d1ae08e78efba91c40e1754315f370
            • Instruction Fuzzy Hash: 90A1BEB011C3D28AD7758F25C494BEFBBE1AB93308F188A5CD0E95B286DB3941068B57
            Function 00DC9210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: )=+4$57$7514$84*6$N
            • API String ID: 0-4020838272
            • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
            • Instruction ID: 8a59532d43861df2ae37c348f53a71acdf3da053d9707cc1d14fb3830c8f6752
            • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
            • Instruction Fuzzy Hash: 4471B26110C3C68BD319CB2984B477BFFE1AFA2305F1C499DE4D64B282D779890AC766
            Function 00DE0870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: +2/?$=79$BBSH$GZE^
            • API String ID: 0-3392023846
            • Opcode ID: 370b0f24b5883df81cf3d486c6b439678d19b969120f962a37423067c06eb327
            • Instruction ID: 1984cf02ff85242665f2650b09dbaa91f0f2d9a2e8bf8fd5d3a9de724d179ed1
            • Opcode Fuzzy Hash: 370b0f24b5883df81cf3d486c6b439678d19b969120f962a37423067c06eb327
            • Instruction Fuzzy Hash: 8F521370604B818FC735CF3AC890766BBE1BF56314F188A6DD4E68BB92C775A446CB60
            Function 00DCB210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: H{D}$TgXy$_o]a$=>?
            • API String ID: 0-2004217480
            • Opcode ID: 3d169b931edde546920859f6f237d4ed3955bc9a325935411f64c7876895789d
            • Instruction ID: 24a2fe5ceed5633d269318bebe1704aa506d1bc290c7df1a167edb4c31159c2e
            • Opcode Fuzzy Hash: 3d169b931edde546920859f6f237d4ed3955bc9a325935411f64c7876895789d
            • Instruction Fuzzy Hash: FE1268B1210B01CFE324CF26D895B97BBF5FB45314F048A1DD5AA9BAA0CB75A449CF90
            Function 00DE7E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: =:;8$=:;8$a{$kp
            • API String ID: 0-2717198472
            • Opcode ID: 5190097cc8cc9cee4744954979d07e643beb69953e347026aa1bd4f837fd35ad
            • Instruction ID: 0e317077e49a4b207b767e18e3e83abbe00041dc4d1c7e107ebb53776be6e982
            • Opcode Fuzzy Hash: 5190097cc8cc9cee4744954979d07e643beb69953e347026aa1bd4f837fd35ad
            • Instruction Fuzzy Hash: ACE1CDB5908341CFE320DF65D881B6BBBE2FBC5304F18882CE5C99B291DB359849DB52
            Function 00DCAD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: @A$lPLN$svfZ$IK
            • API String ID: 0-1806543684
            • Opcode ID: c2094a97ea3a62868d68eb7760d1fdae14496ffbced6addbeb287ea92666f586
            • Instruction ID: 839b1f210edbede679781300db4299d9acc45092216ab9774d12601539c114e4
            • Opcode Fuzzy Hash: c2094a97ea3a62868d68eb7760d1fdae14496ffbced6addbeb287ea92666f586
            • Instruction Fuzzy Hash: E8C1147164C3858FD3248E6584A276FBBE2EBC2714F1C892DE4E54B381D775CC099BA2
            Function 00F85740 Relevance: 5.4, Strings: 3, Instructions: 1631COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 8o??$S~{[$WNY
            • API String ID: 0-56922560
            • Opcode ID: 446e5b6577c874ad2a4c3ec9de8468eece00acf8b45b354eb661ebfa40b8da83
            • Instruction ID: 18b76d7f5c999f5d5da28393cff1a0f43fcfe489dd5fbb5599a2835dda92c068
            • Opcode Fuzzy Hash: 446e5b6577c874ad2a4c3ec9de8468eece00acf8b45b354eb661ebfa40b8da83
            • Instruction Fuzzy Hash: 9CB2F6F360C2009FE3046E2DEC8567ABBE9EF94720F1A493DE6C4C7744EA3598418697
            Function 00F94F99 Relevance: 5.1, Strings: 3, Instructions: 1338COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 2OU$;u*$r!h
            • API String ID: 0-3002902936
            • Opcode ID: 2cd1329b24eb1b250e6469f283d26dc7115866ffda50a9832ecd46aac2efd8d3
            • Instruction ID: 27356d8daee68a1bf7005c9473e7e24b8fdcad3dc2c883a419aaff7a92699da3
            • Opcode Fuzzy Hash: 2cd1329b24eb1b250e6469f283d26dc7115866ffda50a9832ecd46aac2efd8d3
            • Instruction Fuzzy Hash: B2921AF360C2049FE304AE2DEC8567AB7E9EF94720F16893DEAC4C7744EA3558418796
            Function 00DE5E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: @J$KP$VD
            • API String ID: 0-3841663987
            • Opcode ID: 919f429c213346f51ed4b2b80f209464e75be80a12513bfb250a1317c50912c7
            • Instruction ID: 3b1f0934e9e239d7a881f0a4e33f37bce61c4d692cfc0c33f291d7a357b9bed9
            • Opcode Fuzzy Hash: 919f429c213346f51ed4b2b80f209464e75be80a12513bfb250a1317c50912c7
            • Instruction Fuzzy Hash: F8918775B04B41AFD720CF65DC81BABBBB1FB81304F14452CE195AB781C375A85ACBA2
            Function 00DCC02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: PQ$A_$IG
            • API String ID: 0-2179527320
            • Opcode ID: 928cb5ab589ecbe892a5a15674148d967d55cadff80b0c39c10e430b339f89e5
            • Instruction ID: b72b2299a752161bacf54cead97ba7747837b3cb39a5825c95a5f04e05e6c9de
            • Opcode Fuzzy Hash: 928cb5ab589ecbe892a5a15674148d967d55cadff80b0c39c10e430b339f89e5
            • Instruction Fuzzy Hash: 4041AD7001C342CAC704CF22D851B6BB7F0FF96758F28AA0DE1C59B695D7358586CB5A
            Function 00DFF8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: cC$jC
            • API String ID: 0-2055910567
            • Opcode ID: 387ddd15fa4ad679a5a0bb251739540010474ab1e877572b6a08dd03ad161b9f
            • Instruction ID: 65c4760de8b0b1df561d95a8a7d7f265fca60fc751fe1e8d4bd615297ccf5162
            • Opcode Fuzzy Hash: 387ddd15fa4ad679a5a0bb251739540010474ab1e877572b6a08dd03ad161b9f
            • Instruction Fuzzy Hash: F742FE36B04219CFCB08CF69D8916AEB7F2FB89310F1E857DC946A7391C6359946CB90
            Function 00DFC040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: f$
            • API String ID: 2994545307-508322865
            • Opcode ID: 122173c4cb4f0f3b18f175da94ae569f28d5e516593784fe96dc7ec093ff6c1a
            • Instruction ID: 6a18fdb007b4f52894c3aacaa336450f677c60fdd8241030a093bb0a66300607
            • Opcode Fuzzy Hash: 122173c4cb4f0f3b18f175da94ae569f28d5e516593784fe96dc7ec093ff6c1a
            • Instruction Fuzzy Hash: 0312E47021C3499FD714CF29C980A3BBBE2EBC5314F19DA2CE695872A2D731D855CB62
            Function 00F87214 Relevance: 2.9, Strings: 1, Instructions: 1677COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: zpg
            • API String ID: 0-537568134
            • Opcode ID: 29d6a58adc25b40b63694a167393f128f4d3aa4a08804859dfad0d31fed0ada7
            • Instruction ID: c437818ee087bdb74064a989e1539a3e77d284e75c6ea158c74111bf068d07d0
            • Opcode Fuzzy Hash: 29d6a58adc25b40b63694a167393f128f4d3aa4a08804859dfad0d31fed0ada7
            • Instruction Fuzzy Hash: 17B239F36082049FE304AE2DEC8567AFBE5EF94720F16463DEAC5C7344EA3558058796
            Function 00F88D47 Relevance: 2.9, Strings: 1, Instructions: 1628COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: '"n<
            • API String ID: 0-4084850875
            • Opcode ID: 2fe2eaa2509a7f6682cdbe68e858202fb98fe14e3f13123a4365057b0a499de4
            • Instruction ID: 0ff5abf87003681ed07f7db418dcbd49b41a7d3bca1ae57766fa76dae3c2c8a4
            • Opcode Fuzzy Hash: 2fe2eaa2509a7f6682cdbe68e858202fb98fe14e3f13123a4365057b0a499de4
            • Instruction Fuzzy Hash: D1B226F3A0C2049FE7046E2DEC8577ABBE9EF94320F1A453DEAC587744EA3558018697
            Function 00DF24E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
            Download Yara Rule
            Strings
            • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00DF2591
            • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00DF25D2
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
            • API String ID: 0-2492670020
            • Opcode ID: d36ebacd7e241ae80b3b7cdb8c9049856338acc85baef249409e47cd43da765b
            • Instruction ID: c217edfbd3fb69cd86ef515166156db4f54e8226517fd3222252699c0c16fabf
            • Opcode Fuzzy Hash: d36ebacd7e241ae80b3b7cdb8c9049856338acc85baef249409e47cd43da765b
            • Instruction Fuzzy Hash: F3815B33A086994BCB158E3C9C912BABB965F97330B2EC3A9D6B19B3D5C125CD058370
            Function 00DC5AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 0$8
            • API String ID: 0-46163386
            • Opcode ID: 54353097277098c6451a78825f9cdbe380c5c5fbf5bd93ead58a4196ece8dccc
            • Instruction ID: 2917023cd4e32371fa012dd083a5004b1c671e7415d095a4b94a22ce7a1e335f
            • Opcode Fuzzy Hash: 54353097277098c6451a78825f9cdbe380c5c5fbf5bd93ead58a4196ece8dccc
            • Instruction Fuzzy Hash: F3A11236609781DFD720CF28D840B9EBBE1AB99304F18895CE9C897362C775E958CF52
            Function 00DC542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: 0$8
            • API String ID: 0-46163386
            • Opcode ID: 97724827498dafa9135218ef6999c8ddaee197a86666f4452c31d6bcecf12fed
            • Instruction ID: e225eff007dc2688727eb8f0b607fb299c3add1862e65744ea60e6544331136f
            • Opcode Fuzzy Hash: 97724827498dafa9135218ef6999c8ddaee197a86666f4452c31d6bcecf12fed
            • Instruction Fuzzy Hash: 7CA11336508781DFD720CF28D840B9BBBE1AB99304F18895CE9C8A7362C775E958CF52
            Function 00DCE970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: efg`$efg`
            • API String ID: 0-3010568471
            • Opcode ID: f02ac4e34dc7ecaae303caab127a1d5815ed01cbe8ccecdad67fad392044a60d
            • Instruction ID: f7d4465c0db2b5f342df6101c8fcfb8817bc21451dc7ee0cc943a73dcaaf4719
            • Opcode Fuzzy Hash: f02ac4e34dc7ecaae303caab127a1d5815ed01cbe8ccecdad67fad392044a60d
            • Instruction Fuzzy Hash: DE31AF72A083528BD738DF51D991B6FB792AFE4300F5A442CD9C667255CE309D0AC7E2
            Function 00DE8CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: st@
            • API String ID: 0-3741395493
            • Opcode ID: b3b2de0dcb227de8c25463395cb8cabff67e436b1de47da845a696105cecf79e
            • Instruction ID: abef2f25005c2de9a543093130dce8c368d195587312248bdceefc9d9cfa2ee8
            • Opcode Fuzzy Hash: b3b2de0dcb227de8c25463395cb8cabff67e436b1de47da845a696105cecf79e
            • Instruction Fuzzy Hash: 96F145B190C3918FD3049F25C89076BFBE2AF96304F18886DE5C597382D776D949CBA2
            Function 00DE8770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: =:;8
            • API String ID: 2994545307-508151936
            • Opcode ID: 96ddea86cb5ce133e1fb839339941c45a5892b5f5199d525762abf77ff37ef78
            • Instruction ID: 7c987967d506156c6d75c64c62b087f8d6d23e4c53f8052aaa665c67af4ad6b5
            • Opcode Fuzzy Hash: 96ddea86cb5ce133e1fb839339941c45a5892b5f5199d525762abf77ff37ef78
            • Instruction Fuzzy Hash: 54D15C72A483918BD714EA29CC8177BB792EBC5304F1D857DD8CA4B382DA74DC06E7A1
            Function 00DD9530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: efg`
            • API String ID: 0-115929991
            • Opcode ID: abbcdcf88b32e2b07f4c85f1a7219924364dc5f9b6ab8bfbc7c4f73356c23dc8
            • Instruction ID: 6748a8f43b12921edfaa8c4365601cf1cd9032b875874a8cdf97410c27861d63
            • Opcode Fuzzy Hash: abbcdcf88b32e2b07f4c85f1a7219924364dc5f9b6ab8bfbc7c4f73356c23dc8
            • Instruction Fuzzy Hash: 9BC12171900215CFCB248F68DCA2BBBB3B4FF46310F184169E956A7391E732A955CBB1
            Function 00E00F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: _^]\
            • API String ID: 2994545307-3116432788
            • Opcode ID: 94e7ea0008e48af8591370889112c2cdb90b846010be88437755eba9ae1371e3
            • Instruction ID: daec76feb537946a9016ee4e7115f0617209070fa492267e04963ec7629c2cd6
            • Opcode Fuzzy Hash: 94e7ea0008e48af8591370889112c2cdb90b846010be88437755eba9ae1371e3
            • Instruction Fuzzy Hash: 4281DF342083428FC719DF58D490A2AB3F2FF99714F0595ACE985AB3A5D731EC91CB82
            Function 00DC61A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: ,
            • API String ID: 0-3772416878
            • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
            • Instruction ID: dee02434985c881b30f6511db3ac55ecaa5fd460396e05882a6b18e078466801
            • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
            • Instruction Fuzzy Hash: B2B138711083819FD325CF58C890B1BFBE0AFA9704F484A2DE5D997382D631E918CBA6
            Function 00DFBCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: 5|iL
            • API String ID: 2994545307-1880071150
            • Opcode ID: a9e8596d384ace4b43f86e89854bc48af68b944c66e716ee591fe1e54372a4bd
            • Instruction ID: 7873a3c26c8fb4e70bebbf4781eb10709a28581a58b56091d556dc2ef299dc30
            • Opcode Fuzzy Hash: a9e8596d384ace4b43f86e89854bc48af68b944c66e716ee591fe1e54372a4bd
            • Instruction Fuzzy Hash: E171F832A047148FC7148E69CC80677B7A6EFC5330F1AC66DEA95A7265C372DC418BE1
            Function 00E9E36D Relevance: 1.5, Strings: 1, Instructions: 240COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: {~
            • API String ID: 0-383666369
            • Opcode ID: e5621910e83b80ce7518d6d700863bcc71b562c7142344b6801a4d3cc1f9ede5
            • Instruction ID: 0f91959408aa78275a29c30cdf60f55b275fe6f9a491a3ea9820791e886300d6
            • Opcode Fuzzy Hash: e5621910e83b80ce7518d6d700863bcc71b562c7142344b6801a4d3cc1f9ede5
            • Instruction Fuzzy Hash: 5A7107F3A083045FF3046E2DEC4576ABBD6DBD4320F2A853DEA8887784E9795D058686
            Function 00DCE0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: efg`
            • API String ID: 2994545307-115929991
            • Opcode ID: 6264b171c3fd7a4561b4485781b40643d1d8f5d3858ec101d63eee4f9d86f8bb
            • Instruction ID: b88e09fe33fb6c3ff06efb265469a1458b3e8b10938f19d815c2efeb4e42fed1
            • Opcode Fuzzy Hash: 6264b171c3fd7a4561b4485781b40643d1d8f5d3858ec101d63eee4f9d86f8bb
            • Instruction Fuzzy Hash: E45105B2A043918BD720EB619C82BAF7357EFD1304F19442CE98D67246DE316A0687B7
            Function 00DCEA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID: D
            • API String ID: 0-2746444292
            • Opcode ID: 046ced95662f4044b6e39e8a779fd3b14f81c9ab39c7ef6269eb37739e7b4ccf
            • Instruction ID: 33e2287c9f7868659fafd95718b1957fcb563ceb8344bd47bb50601bcfbc244a
            • Opcode Fuzzy Hash: 046ced95662f4044b6e39e8a779fd3b14f81c9ab39c7ef6269eb37739e7b4ccf
            • Instruction Fuzzy Hash: 7B5112B15493818EE7208F12C86176BBBF1FF91744F24980CE6D91B294D7B69849CF87
            Function 00DC77D0 Relevance: .8, Instructions: 758COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
            • Instruction ID: a3ff865770713e3f2863ef624fc9a704d6d957a4c805a63e991458bce10f59ce
            • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
            • Instruction Fuzzy Hash: EF42C53160C3128BC725DF18E880BAAB3E2FFD4314F29892DD99687385D735E955CB62
            Function 00DC6CC0 Relevance: .7, Instructions: 670COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 42628cf95ab9fce5e053ca6c0ea902b4d83b9966eb1c0261338696e02dc26f16
            • Instruction ID: e0d6792a25ea04cb3f67b9386fbbc875abe7514b602a41ac1cf9e8555cb5e3ec
            • Opcode Fuzzy Hash: 42628cf95ab9fce5e053ca6c0ea902b4d83b9966eb1c0261338696e02dc26f16
            • Instruction Fuzzy Hash: 5952C77090CB858FEB35CB24C484BA7BBE1EB51314F18492ED5E707B82C279E885DB65
            Function 00DC4AC0 Relevance: .7, Instructions: 665COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dd0c6e2f7c853eff985675e9632d0d80c221d2488c2351b4e8919e41995f2ab3
            • Instruction ID: c0fe27ef932f82187cc883732a23363a121eb3b4b70fca54986f162cc57018c8
            • Opcode Fuzzy Hash: dd0c6e2f7c853eff985675e9632d0d80c221d2488c2351b4e8919e41995f2ab3
            • Instruction Fuzzy Hash: 53427A75608301DFD704CF29D854B5ABBE1FF88355F04882CE8899B291D37AD988CF52
            Function 00DC2B80 Relevance: .7, Instructions: 657COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 388b62c5bab6d60d050c7c4e7590a5e37e7bd7c717857e130da3eeb6b6a6a1a4
            • Instruction ID: 4ba825b2c4dfad28e71a0ecb89da5c5de9efbf0f5172e64880501a9de009b88b
            • Opcode Fuzzy Hash: 388b62c5bab6d60d050c7c4e7590a5e37e7bd7c717857e130da3eeb6b6a6a1a4
            • Instruction Fuzzy Hash: BA52C0315083468FCB19CF19C090BAABBE1BF88314F198A6DF8D95B351D774E989CB91
            Function 00DC3580 Relevance: .6, Instructions: 631COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd84f43186cddf00d712892a889304645f67f224186123f3e5bf0b90407a02b0
            • Instruction ID: 8204bfbfbdbc1334a435c693df338062a0cffe0f298dbd7e601cfd820eba5fd5
            • Opcode Fuzzy Hash: bd84f43186cddf00d712892a889304645f67f224186123f3e5bf0b90407a02b0
            • Instruction Fuzzy Hash: 28424871514B128FC368CF29C590A6AB7F2BF85710B648A2ED69787F90D735F941CB20
            Function 00DC5C90 Relevance: .4, Instructions: 417COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
            • Instruction ID: 340d8c99169e4f3f3ca1a281b21669a1d2b4658dea86e25ea75ee66a9092ffb2
            • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
            • Instruction Fuzzy Hash: 51F17B712087428FC728CF29C881B6BFBE2EF94300F48492DE5D687791E635E945CB66
            Function 00DC6840 Relevance: .3, Instructions: 320COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
            • Instruction ID: 1a422bf48e96248dd8f866380f16c89e11f9a68ca04125ea01f7985f55cfaed3
            • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
            • Instruction Fuzzy Hash: CAC18DB2A087418FC364CF68C896B9BB7E1BF84318F08492DD5DAC7341E678E545CB56
            Function 00DF87B0 Relevance: .3, Instructions: 303COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
            • Instruction ID: f4a2d20d2d6da1e0c117b08fcc2f196aa88ce2f7121fd8702375763e17cb9cbe
            • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
            • Instruction Fuzzy Hash: 35B12A72D087D48FDB11CA7CC8803697FA29B57220F1EC395D5A5AB3C6C6358806D7B2
            Function 00E01580 Relevance: .3, Instructions: 293COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 51bd2c917505d08cf3dc1a74bb13858f386314421adb50984c429b599105b2be
            • Instruction ID: f3793f1d48ecc4d6f3cabb4397c3c6b3b38228a8c35f5c90b70c1f4bc7a34469
            • Opcode Fuzzy Hash: 51bd2c917505d08cf3dc1a74bb13858f386314421adb50984c429b599105b2be
            • Instruction Fuzzy Hash: CE81037160C3418FD718DF68E850A2BB7E2EF89314F08987CE985EB291E671DD858792
            Function 00DFC780 Relevance: .3, Instructions: 283COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
            • Instruction ID: 6f06de6ac9a67520cade230562fcd8c72a84790402f6c917b26b3f923929755c
            • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
            • Instruction Fuzzy Hash: DFA1003160C3998FC325CF28C59063ABBE1AF86300F1ED66DE5E58B392D6349C05CB62
            Function 00DDFB60 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2ee43df37fdc332104021f6b70b5051cf5e9cf31d1cd06cfd42caec76188566e
            • Instruction ID: 00c033d7a7d454111d3cec89f1fb877af5332824364bbd837807b6589dcae3f1
            • Opcode Fuzzy Hash: 2ee43df37fdc332104021f6b70b5051cf5e9cf31d1cd06cfd42caec76188566e
            • Instruction Fuzzy Hash: 15913F32A042614FC725CF28C85076ABBD2AB85324F1DC27EE8BA9B392D675DC45C3D1
            Function 00E00C80 Relevance: .3, Instructions: 269COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 6adee24e7e3867ee6a603c808d04711efbdcb44b9eb279645e50cc6006cf0b39
            • Instruction ID: d7852c606de4892862cd557c82077bad93096f20735813489d5289fed20f10f9
            • Opcode Fuzzy Hash: 6adee24e7e3867ee6a603c808d04711efbdcb44b9eb279645e50cc6006cf0b39
            • Instruction Fuzzy Hash: 587127356083469BCB149B18D850B3FB7E2FFD4710F15D82CE585AB2A4D7309C81D752
            Function 00F1AEFE Relevance: .3, Instructions: 257COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ac9a0b5377a30ea0709bc41d756d5d731fe16b79a4077612db2ed71861aac77a
            • Instruction ID: e05627e63a2532bf4db656af3d052a9aa9aa6cd1d45785b7c329c238d5262dec
            • Opcode Fuzzy Hash: ac9a0b5377a30ea0709bc41d756d5d731fe16b79a4077612db2ed71861aac77a
            • Instruction Fuzzy Hash: 22716FF3A086004FF348AE3DEC9577ABBDAEBD4710F1A863DD684C7784E97558058292
            Function 00DF41D0 Relevance: .2, Instructions: 244COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 25bfb478033453ed371ad4f0e0a6b6d5ab713ab20ec0de4bc0633e6b336cf6be
            • Instruction ID: 4263f644611e61aef15bf2870d4d46280bad17b13055558b72afa04b8e8bddde
            • Opcode Fuzzy Hash: 25bfb478033453ed371ad4f0e0a6b6d5ab713ab20ec0de4bc0633e6b336cf6be
            • Instruction Fuzzy Hash: AD716C33B595A047CB1C897D4C122BAAA874BD333472FC37AAEB5E73E0C5698D0542A0
            Function 00DFB8E0 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 8aaf2f8de5e932e2f5a7d8932d93db710d87adaf55f624c704cd2daf08134b66
            • Instruction ID: b69069c96684dfad8c3c7bbdd14e908b1472b2a3dbdced30f8a756bd7e1ecdfa
            • Opcode Fuzzy Hash: 8aaf2f8de5e932e2f5a7d8932d93db710d87adaf55f624c704cd2daf08134b66
            • Instruction Fuzzy Hash: 04512532A083188BD3209F29D84063BB7A3EBD5730F2AC62DDAD567355D371DC028BA1
            Function 00F134C7 Relevance: .2, Instructions: 215COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5042f25da6932ffe9f66f31e9375423897aea33088f4acf96d9578a3bbda3c47
            • Instruction ID: 681a5ff48430b3f73cafcd5678e873c385dec78b46e0adabb77e955a235c7266
            • Opcode Fuzzy Hash: 5042f25da6932ffe9f66f31e9375423897aea33088f4acf96d9578a3bbda3c47
            • Instruction Fuzzy Hash: 2151F9B3D081149BF304AA29DC557BAB7D6EB90330F1B853DEAC9D7780E93A58058692
            Function 00DE0650 Relevance: .2, Instructions: 194COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20425f0b4f7b654fa8878bf039518a93b960f3f72a915fee5f8322a269876406
            • Instruction ID: e4e175fec740ed4b9852e89495445346f76cff382fac3d0bb01145f96bcbc3f9
            • Opcode Fuzzy Hash: 20425f0b4f7b654fa8878bf039518a93b960f3f72a915fee5f8322a269876406
            • Instruction Fuzzy Hash: 41515937A1A6D04BC721693E1C512A96E170BE6334B3E436AD8F4973D1C5ABCC86C7E0
            Function 00DE1790 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54057be47c8fe2eb1328f3369af55e644db0ea46efe0ec27658a7ef7c5084471
            • Instruction ID: 37d7604493deefc95e94c9d9789e85152ea6305fef2aaa0704829ab640523721
            • Opcode Fuzzy Hash: 54057be47c8fe2eb1328f3369af55e644db0ea46efe0ec27658a7ef7c5084471
            • Instruction Fuzzy Hash: 8E416B31B09385AFD310AF69AC82B5B77E8EB8A354F04883CF649C3281D635D859C772
            Function 00F6563D Relevance: .1, Instructions: 147COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5f0e733216e45e30b22d866dcec82c447462d7604fdd9388ba51767fbd095503
            • Instruction ID: ea94062eb8326f495fb2475a2f420d60686d16dcf74b270adb26d72177bc5d6f
            • Opcode Fuzzy Hash: 5f0e733216e45e30b22d866dcec82c447462d7604fdd9388ba51767fbd095503
            • Instruction Fuzzy Hash: 124126F39082009FE314AE2DED8563ABBEAEBD4710F16C93DDAD487748E9310914C692
            Function 00DF27B0 Relevance: .1, Instructions: 126COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f0bb7dbcc64bfed08cfb6a8119d4c61b8e1a1d4103e885cad1ec1edcfe70abf3
            • Instruction ID: d98b5fc993bbc6c2260fd44d51b529d5a8fb97690bdffae0e2b4a26ba5e87917
            • Opcode Fuzzy Hash: f0bb7dbcc64bfed08cfb6a8119d4c61b8e1a1d4103e885cad1ec1edcfe70abf3
            • Instruction Fuzzy Hash: 57816FB410A7848FD378CF05DA9968BBBF4BBD9308F105A1D98C867390CBB11489CF96
            Function 00DC27D0 Relevance: .1, Instructions: 76COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dadde30ef4255bc8b3afcc66e8eee9975babf083b5e3971e1de1f28a4e611aed
            • Instruction ID: b8220a118037654d49cfc753f2b2ef3d194c93da50919059f56595c0a0d1699e
            • Opcode Fuzzy Hash: dadde30ef4255bc8b3afcc66e8eee9975babf083b5e3971e1de1f28a4e611aed
            • Instruction Fuzzy Hash: AE11C83BB256224BE390DE66DCD8B266392EFC931071E413DEE81E7242C632E845D170
            Function 00DCBC9D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 024e2a6bfc1505e3955fd2a11c8c30d8760c14940b0f8ab10f1bb90083030862
            • Instruction ID: e05f6741ddb406274f0f558ed064b1bf435fa4aea3f186a9f6097585d3d8c7e6
            • Opcode Fuzzy Hash: 024e2a6bfc1505e3955fd2a11c8c30d8760c14940b0f8ab10f1bb90083030862
            • Instruction Fuzzy Hash: FAF0E2716183815FD7188B24D89163FB7A0AB82614F10141DE2C2D3292DB22C8068E0D
            Function 00DFB860 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1754970907.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
            • Associated: 00000000.00000002.1754956293.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1754970907.0000000000E05000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755014582.0000000000E17000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010AE000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755028852.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755258518.00000000010BE000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755356861.0000000001259000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1755370555.000000000125A000.00000080.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f5ef0cc27cda43f57afb1167615a89cef164a62d2bfc4ab69a1a4648877912f4
            • Instruction ID: d5ffe41110ca7f3759cd62a407ae6656484a9a23e8afb519d4ce1d951b573a3c
            • Opcode Fuzzy Hash: f5ef0cc27cda43f57afb1167615a89cef164a62d2bfc4ab69a1a4648877912f4
            • Instruction Fuzzy Hash: 52B09250A042087F40289D0A8C45D7BB6BE92CB740B10A008A408A3316C651EC0882F9