Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562674
MD5:339b28fd2dbb4a572a4fc6b7207448d7
SHA1:d6ca6c0291a42d08bf0cdd9e8b528ee2ac90f0d8
SHA256:dcfcbcb7ccf29f1ef5e01d31ed51789783c2e2a3ab2a77543cde49479556ae37
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 339B28FD2DBB4A572A4FC6B7207448D7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T21:27:16.124531+010020283713Unknown Traffic192.168.2.749701172.67.187.240443TCP
2024-11-25T21:27:18.018889+010020283713Unknown Traffic192.168.2.749703172.67.187.240443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T21:27:16.819414+010020546531A Network Trojan was detected192.168.2.749701172.67.187.240443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T21:27:16.819414+010020498361A Network Trojan was detected192.168.2.749701172.67.187.240443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Antivirus detection for URL or domain
Source: https://occupy-blushi.sbs/api_Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/&Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/fAvira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/apiUsAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_00D8CF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_00D8E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_00DBF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_00DBF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_00D898F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_00DBB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00DBB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_00DBC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_00DBC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_00DBC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_00DBC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00DA0870
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_00DBB860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_00D8C02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_00D8E970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_00D8EA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_00D8E35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_00DBBCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00D8BC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00D85C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00D85C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00DA8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_00D8AD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_00DA5E90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_00D877D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_00D877D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_00DC0F60

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49701 -> 172.67.187.240:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.187.240:443
Source: Joe Sandbox ViewIP Address: 172.67.187.240 172.67.187.240
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.187.240:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.187.240:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: occupy-blushi.sbs
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
Source: global trafficDNS traffic detected: DNS query: frogs-severz.sbs
Source: global trafficDNS traffic detected: DNS query: occupy-blushi.sbs
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: occupy-blushi.sbs
Source: file.exe, 00000000.00000003.1350217159.00000000016DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1350050559.0000000001691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: file.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/
Source: file.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/&
Source: file.exe, 00000000.00000002.1350930893.0000000001667000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1350050559.0000000001667000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1350883536.000000000162E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/api
Source: file.exe, 00000000.00000003.1350050559.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/apiUs
Source: file.exe, 00000000.00000002.1350883536.000000000162E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/api_
Source: file.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://occupy-blushi.sbs/f
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownHTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49701 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB90300_2_00DB9030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D889A00_2_00D889A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8CF050_2_00D8CF05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8E0D80_2_00D8E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBF8D00_2_00DBF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D898F00_2_00D898F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D80_2_00F4D8D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB8E00_2_00DBB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D840400_2_00D84040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D868400_2_00D86840
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBC0400_2_00DBC040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA08700_2_00DA0870
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB41D00_2_00DB41D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D861A00_2_00D861A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8E9700_2_00D8E970
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D85AC90_2_00D85AC9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D84AC00_2_00D84AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8B2100_2_00D8B210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D892100_2_00D89210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3CA220_2_00F3CA22
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D82B800_2_00D82B80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F41B930_2_00F41B93
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9FB600_2_00D9FB60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9DB300_2_00D9DB30
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D894D00_2_00D894D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D86CC00_2_00D86CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB24E00_2_00DB24E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D85C900_2_00D85C90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED74BA0_2_00ED74BA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC0C800_2_00DC0C80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA8CB00_2_00DA8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8542C0_2_00D8542C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D835800_2_00D83580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC15800_2_00DC1580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F46D840_2_00F46D84
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3E58A0_2_00F3E58A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E43D670_2_00E43D67
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA3D700_2_00DA3D70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8AD000_2_00D8AD00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D995300_2_00D99530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA5E900_2_00DA5E90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F43EAF0_2_00F43EAF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBB6910_2_00FBB691
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4BE7D0_2_00F4BE7D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA06500_2_00DA0650
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E136000_2_00E13600
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA7E200_2_00DA7E20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D877D00_2_00D877D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D827D00_2_00D827D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA17900_2_00DA1790
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBC7800_2_00DBC780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB87B00_2_00DB87B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01041EA60_2_01041EA6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA87700_2_00DA8770
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC0F600_2_00DC0F60
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992891905737705
Source: file.exeStatic PE information: Section: chjhfqsw ZLIB complexity 0.9945550685975609
Source: classification engineClassification label: mal100.evad.winEXE@1/0@3/1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB27B0 CoCreateInstance,0_2_00DB27B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1850880 > 1048576
Source: file.exeStatic PE information: Raw size of chjhfqsw is bigger than: 0x100000 < 0x19a000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;chjhfqsw:EW;ygjmzgca:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;chjhfqsw:EW;ygjmzgca:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1cb2c9 should be: 0x1d0c60
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: chjhfqsw
Source: file.exeStatic PE information: section name: ygjmzgca
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA8F9 push ecx; mov dword ptr [esp], 7FE3D4CBh0_2_00FBA938
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F750FC push ecx; mov dword ptr [esp], eax0_2_00F75125
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102091F push 7CB4555Fh; mov dword ptr [esp], edx0_2_01021121
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 108D8DD4h; mov dword ptr [esp], eax0_2_00F4D8E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push eax; mov dword ptr [esp], esp0_2_00F4D8E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ecx; mov dword ptr [esp], edx0_2_00F4D8E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push edi; mov dword ptr [esp], edx0_2_00F4D980
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push esi; mov dword ptr [esp], edx0_2_00F4D9ED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 374C4300h; mov dword ptr [esp], eax0_2_00F4DA11
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 382124A7h; mov dword ptr [esp], ecx0_2_00F4DA2D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 0E19047Ah; mov dword ptr [esp], esi0_2_00F4DA9D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ecx; mov dword ptr [esp], edx0_2_00F4DAE3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 6103C601h; mov dword ptr [esp], edi0_2_00F4DB14
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 6335A704h; mov dword ptr [esp], ebp0_2_00F4DB47
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push esi; mov dword ptr [esp], 6CD3CDA1h0_2_00F4DB94
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 18F3831Ah; mov dword ptr [esp], ecx0_2_00F4DC14
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push edi; mov dword ptr [esp], esp0_2_00F4DC2F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push edi; mov dword ptr [esp], 48BB6B96h0_2_00F4DCAB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ecx; mov dword ptr [esp], edx0_2_00F4DD1F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push edi; mov dword ptr [esp], eax0_2_00F4DD23
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 3CB35C1Dh; mov dword ptr [esp], ecx0_2_00F4DDE5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ecx; mov dword ptr [esp], 1EFF098Ah0_2_00F4DE38
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 4D55F899h; mov dword ptr [esp], ebx0_2_00F4DEA9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 58269130h; mov dword ptr [esp], ebp0_2_00F4DEB1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ebp; mov dword ptr [esp], edi0_2_00F4DEEC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 25D8DB24h; mov dword ptr [esp], edi0_2_00F4DF57
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ecx; mov dword ptr [esp], eax0_2_00F4E019
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push 772C5900h; mov dword ptr [esp], edx0_2_00F4E043
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push ecx; mov dword ptr [esp], ebx0_2_00F4E052
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push eax; mov dword ptr [esp], ebp0_2_00F4E0B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4D8D8 push eax; mov dword ptr [esp], esi0_2_00F4E0B6
Source: file.exeStatic PE information: section name: entropy: 7.980607909553371
Source: file.exeStatic PE information: section name: chjhfqsw entropy: 7.953813779228934

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD061 second address: DDC858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F35451B0426h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f cmc 0x00000010 push dword ptr [ebp+122D1755h] 0x00000016 jne 00007F35451B042Ch 0x0000001c call dword ptr [ebp+122D235Eh] 0x00000022 pushad 0x00000023 cmc 0x00000024 xor eax, eax 0x00000026 pushad 0x00000027 xor eax, 5D48E120h 0x0000002d mov ecx, dword ptr [ebp+122D2A71h] 0x00000033 popad 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 jmp 00007F35451B0439h 0x0000003d mov dword ptr [ebp+122D28DDh], eax 0x00000043 pushad 0x00000044 mov dx, ax 0x00000047 mov dword ptr [ebp+122D1AB0h], edi 0x0000004d popad 0x0000004e mov esi, 0000003Ch 0x00000053 mov dword ptr [ebp+122D1AB0h], edx 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d mov dword ptr [ebp+122D1AB0h], edi 0x00000063 lodsw 0x00000065 pushad 0x00000066 jnp 00007F35451B042Ch 0x0000006c mov ebx, dword ptr [ebp+122D2859h] 0x00000072 xor edi, 1229CAB3h 0x00000078 popad 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d clc 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jnc 00007F35451B042Ch 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b jne 00007F35451B0428h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC858 second address: DDC871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3544BE3EA5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC871 second address: DDC875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F534A6 second address: F534AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F534AC second address: F534B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F534B2 second address: F534BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F3544BE3E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F534BE second address: F534C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F524AF second address: F524B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52924 second address: F52928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52928 second address: F5292E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F553A4 second address: DDC858 instructions: 0x00000000 rdtsc 0x00000002 je 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b xor dword ptr [esp], 517D51D8h 0x00000012 mov dl, bh 0x00000014 push dword ptr [ebp+122D1755h] 0x0000001a mov dl, 53h 0x0000001c call dword ptr [ebp+122D235Eh] 0x00000022 pushad 0x00000023 cmc 0x00000024 xor eax, eax 0x00000026 pushad 0x00000027 xor eax, 5D48E120h 0x0000002d mov ecx, dword ptr [ebp+122D2A71h] 0x00000033 popad 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 jmp 00007F35451B0439h 0x0000003d mov dword ptr [ebp+122D28DDh], eax 0x00000043 pushad 0x00000044 mov dx, ax 0x00000047 mov dword ptr [ebp+122D1AB0h], edi 0x0000004d popad 0x0000004e mov esi, 0000003Ch 0x00000053 mov dword ptr [ebp+122D1AB0h], edx 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d mov dword ptr [ebp+122D1AB0h], edi 0x00000063 lodsw 0x00000065 pushad 0x00000066 jnp 00007F35451B042Ch 0x0000006c mov ebx, dword ptr [ebp+122D2859h] 0x00000072 xor edi, 1229CAB3h 0x00000078 popad 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d clc 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jnc 00007F35451B042Ch 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b jne 00007F35451B0428h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5555A second address: F555C9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3544BE3E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F3544BE3EA6h 0x00000013 pop esi 0x00000014 pop edx 0x00000015 nop 0x00000016 or ch, FFFFFF91h 0x00000019 push 00000000h 0x0000001b mov edi, dword ptr [ebp+122D2709h] 0x00000021 call 00007F3544BE3E99h 0x00000026 jc 00007F3544BE3EABh 0x0000002c push ebx 0x0000002d jmp 00007F3544BE3EA3h 0x00000032 pop ebx 0x00000033 push eax 0x00000034 js 00007F3544BE3EA0h 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e push eax 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F555C9 second address: F555FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jl 00007F35451B0434h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F35451B0434h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F555FF second address: F55666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F3544BE3E98h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 movzx ecx, cx 0x00000027 jnp 00007F3544BE3E99h 0x0000002d movzx ecx, bx 0x00000030 push 00000003h 0x00000032 sub dword ptr [ebp+122D1C0Eh], ecx 0x00000038 push 00000000h 0x0000003a cmc 0x0000003b mov dword ptr [ebp+122D1975h], esi 0x00000041 push 00000003h 0x00000043 mov dh, 8Dh 0x00000045 call 00007F3544BE3E99h 0x0000004a push eax 0x0000004b push edx 0x0000004c jbe 00007F3544BE3E98h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55666 second address: F556B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F35451B0431h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F35451B042Eh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F35451B042Ch 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007F35451B0431h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push edi 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F556B9 second address: F556E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 jng 00007F3544BE3E99h 0x0000000d movzx ecx, bx 0x00000010 lea ebx, dword ptr [ebp+1244C2B8h] 0x00000016 add esi, dword ptr [ebp+122D29C1h] 0x0000001c push eax 0x0000001d pushad 0x0000001e jnc 00007F3544BE3E98h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F556E3 second address: F556E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5578F second address: F55799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55799 second address: F557CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F35451B042Eh 0x00000010 jnl 00007F35451B0428h 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007F35451B042Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F557CE second address: F557D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55885 second address: F5588B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5588B second address: F5588F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5588F second address: F55893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55893 second address: F558A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F558A1 second address: F558A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F558A5 second address: F55960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jp 00007F3544BE3EA3h 0x00000014 jmp 00007F3544BE3E9Dh 0x00000019 mov eax, dword ptr [eax] 0x0000001b push ecx 0x0000001c pushad 0x0000001d jmp 00007F3544BE3EA1h 0x00000022 jmp 00007F3544BE3EA6h 0x00000027 popad 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d jmp 00007F3544BE3EA9h 0x00000032 pop eax 0x00000033 sub dx, C4E3h 0x00000038 lea ebx, dword ptr [ebp+1244C2C3h] 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F3544BE3E98h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 xchg eax, ebx 0x00000059 jns 00007F3544BE3E9Ah 0x0000005f push eax 0x00000060 jc 00007F3544BE3EB1h 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F669E5 second address: F66A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F35451B0436h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66A02 second address: F66A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73988 second address: F7398C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7398C second address: F73990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73990 second address: F739AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B0435h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73B71 second address: F73B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73B75 second address: F73BA5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F35451B0434h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F35451B042Ch 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F35451B0436h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73BA5 second address: F73BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3544BE3EA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73E4C second address: F73E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B042Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F35451B0426h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73E63 second address: F73E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e jmp 00007F3544BE3EA8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73E89 second address: F73EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35451B0433h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73EA0 second address: F73EB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73FED second address: F74007 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B0432h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74007 second address: F7400D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7400D second address: F74020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007F35451B0449h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74481 second address: F74485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74899 second address: F748A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F748A2 second address: F748AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3544BE3E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F748AC second address: F748B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F748B0 second address: F748CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3544BE3E9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e js 00007F3544BE3E96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F748CD second address: F748FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F35451B042Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F35451B0426h 0x00000012 jmp 00007F35451B0433h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F748FA second address: F7491F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F3544BE3E96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74A57 second address: F74A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75024 second address: F75029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75029 second address: F7504B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F35451B0428h 0x00000008 jmp 00007F35451B042Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F35451B0426h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7504B second address: F75055 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3544BE3E96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75055 second address: F7505F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7505F second address: F75065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F751FE second address: F75216 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007F35451B0448h 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jnp 00007F35451B0426h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75216 second address: F75223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F3544BE3EA2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75223 second address: F75229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C506 second address: F3C50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C50F second address: F3C514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C514 second address: F3C527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3544BE3E9Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C527 second address: F3C533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C16B second address: F7C188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F3544BE3E9Bh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F3544BE3E98h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C2C0 second address: F7C2C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C2C5 second address: F7C2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C2CB second address: F7C2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C2CF second address: F7C2D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82CE7 second address: F82CF1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82CF1 second address: F82CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823A4 second address: F823A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823A8 second address: F823AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823AE second address: F823C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F35451B042Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823C2 second address: F823C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82589 second address: F82591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F829F1 second address: F82A21 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3544BE3EA3h 0x00000008 jmp 00007F3544BE3E9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 jmp 00007F3544BE3EA5h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82A21 second address: F82A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F35451B0426h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82A2D second address: F82A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82A31 second address: F82A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84028 second address: F8402E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8402E second address: F84034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84BB8 second address: F84BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84BBC second address: F84BE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], ebx 0x00000009 mov dword ptr [ebp+122D1F69h], ecx 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F35451B0433h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84DE5 second address: F84DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85004 second address: F8500A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85585 second address: F855A7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3544BE3E9Ch 0x00000008 jns 00007F3544BE3E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3544BE3E9Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F855A7 second address: F855F8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d je 00007F35451B0426h 0x00000013 popad 0x00000014 popad 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F35451B0428h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 push 00000000h 0x00000032 movzx edi, bx 0x00000035 sub dword ptr [ebp+122D1C26h], eax 0x0000003b push 00000000h 0x0000003d mov di, 61DFh 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jng 00007F35451B0426h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85EF6 second address: F85F0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jo 00007F3544BE3E9Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8712E second address: F87133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F879FF second address: F87A06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F87A06 second address: F87A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F35451B0438h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89222 second address: F89228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89228 second address: F8922C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88F5E second address: F88F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8922C second address: F89242 instructions: 0x00000000 rdtsc 0x00000002 js 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007F35451B0430h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89A02 second address: F89A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A70A second address: F8A71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F35451B0426h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A71B second address: F8A72B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3E9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C4F5 second address: F8C502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F35451B0426h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEBA second address: F8AEBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8EFE8 second address: F8EFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F911EE second address: F911F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9017B second address: F90185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F35451B0426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F911F2 second address: F911F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F15B second address: F8F1E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B042Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F35451B0428h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edi, 14D2C63Eh 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov edi, dword ptr [ebp+122D281Dh] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov dword ptr [ebp+122D36AFh], eax 0x00000045 mov eax, dword ptr [ebp+122D0FCDh] 0x0000004b mov edi, eax 0x0000004d push FFFFFFFFh 0x0000004f xor edi, 7CA53ABFh 0x00000055 nop 0x00000056 jmp 00007F35451B0436h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F35451B042Ah 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F923A6 second address: F923AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93470 second address: F93474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9699E second address: F969A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F95AAC second address: F95AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F95B8D second address: F95B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F95B91 second address: F95B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F95B97 second address: F95B9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F988C3 second address: F988C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F988C8 second address: F988CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A8CA second address: F9A8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9D868 second address: F9D86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9D86F second address: F9D90E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F35451B042Ah 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F35451B0428h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 jmp 00007F35451B042Fh 0x0000002d add ebx, dword ptr [ebp+122D29A5h] 0x00000033 push 00000000h 0x00000035 add bx, 07ADh 0x0000003a cmc 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F35451B0428h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 jmp 00007F35451B042Bh 0x0000005c sub dword ptr [ebp+122D19BDh], edx 0x00000062 xchg eax, esi 0x00000063 jmp 00007F35451B0435h 0x00000068 push eax 0x00000069 pushad 0x0000006a push ebx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99AD2 second address: F99AE0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3544BE3E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9AA04 second address: F9AA19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B0431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9D9E8 second address: F9D9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3544BE3E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9D9F2 second address: F9DA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F35451B0428h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9EA07 second address: F9EA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FBC1 second address: F3FBC6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA72C6 second address: FA72CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA7427 second address: FA742D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA742D second address: FA744B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 js 00007F3544BE3E96h 0x0000000b jng 00007F3544BE3E96h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007F3544BE3E9Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA744B second address: FA7457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F35451B0426h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA7594 second address: FA759B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA759B second address: FA75B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F35451B0426h 0x00000009 jmp 00007F35451B042Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD5B3 second address: FAD5C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3544BE3E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD5C0 second address: FAD5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F35451B0426h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F35451B042Eh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD5E4 second address: FAD5E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD5E8 second address: FAD5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD6D8 second address: FAD6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD748 second address: FAD76E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F35451B0439h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD76E second address: FAD778 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3544BE3E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD778 second address: FAD78D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F35451B0428h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD78D second address: FAD797 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD797 second address: FAD7AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jp 00007F35451B0426h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD7AE second address: FAD7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F43236 second address: F43240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F35451B0426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F43240 second address: F43255 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3544BE3E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F3544BE3E96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F43255 second address: F43293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F35451B042Eh 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jc 00007F35451B0426h 0x0000001b jmp 00007F35451B0438h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4564 second address: FB456A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB456A second address: FB4582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B0434h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4B30 second address: FB4B4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA3h 0x00000007 js 00007F3544BE3E9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4B4D second address: FB4B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F35451B042Ch 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4B64 second address: FB4B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4CBD second address: FB4CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F35451B042Fh 0x0000000c jl 00007F35451B0426h 0x00000012 jmp 00007F35451B042Bh 0x00000017 popad 0x00000018 pop edi 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4E78 second address: FB4E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4E7C second address: FB4E9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B0432h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F35451B0428h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4E9A second address: FB4EB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F3544BE3EA5h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4EB6 second address: FB4F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F35451B042Fh 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F35451B0438h 0x00000019 jmp 00007F35451B0430h 0x0000001e popad 0x0000001f jmp 00007F35451B0438h 0x00000024 push esi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5081 second address: FB5086 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5220 second address: FB522A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB54FF second address: FB5549 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F3544BE3EA6h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3544BE3EA4h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5549 second address: FB554D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA00B second address: FBA010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA010 second address: FBA03A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35451B043Eh 0x00000008 jmp 00007F35451B0436h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F35451B0426h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA18F second address: FBA195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA195 second address: FBA199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA459 second address: FBA462 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA462 second address: FBA469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA469 second address: FBA473 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3544BE3E9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA473 second address: FBA47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA47D second address: FBA481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBAC30 second address: FBAC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F35451B0426h 0x0000000a pop edx 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f pop esi 0x00000010 pushad 0x00000011 jnc 00007F35451B042Ch 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBAC50 second address: FBAC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3544BE3EA9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBAC6F second address: FBAC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBAC77 second address: FBAC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3544BE3EA7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B7E3 second address: F6B7EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F35451B0426h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B7EF second address: F6B7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBEAD0 second address: FBEAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBEAD6 second address: FBEAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jne 00007F3544BE3E9Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8CDFF second address: F8CE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8CE03 second address: F8CE07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D260 second address: F8D265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D265 second address: F8D280 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F3544BE3E96h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007F3544BE3EA2h 0x00000013 jnc 00007F3544BE3E9Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D280 second address: DDC858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 mov cx, BCD0h 0x00000009 push dword ptr [ebp+122D1755h] 0x0000000f movzx edi, cx 0x00000012 mov ecx, dword ptr [ebp+122D2919h] 0x00000018 call dword ptr [ebp+122D235Eh] 0x0000001e pushad 0x0000001f cmc 0x00000020 xor eax, eax 0x00000022 pushad 0x00000023 xor eax, 5D48E120h 0x00000029 mov ecx, dword ptr [ebp+122D2A71h] 0x0000002f popad 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 jmp 00007F35451B0439h 0x00000039 mov dword ptr [ebp+122D28DDh], eax 0x0000003f pushad 0x00000040 mov dx, ax 0x00000043 mov dword ptr [ebp+122D1AB0h], edi 0x00000049 popad 0x0000004a mov esi, 0000003Ch 0x0000004f mov dword ptr [ebp+122D1AB0h], edx 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 mov dword ptr [ebp+122D1AB0h], edi 0x0000005f lodsw 0x00000061 pushad 0x00000062 jnp 00007F35451B042Ch 0x00000068 mov ebx, dword ptr [ebp+122D2859h] 0x0000006e xor edi, 1229CAB3h 0x00000074 popad 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 clc 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e jnc 00007F35451B042Ch 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 jne 00007F35451B0428h 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D5EC second address: F8D5F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D5F1 second address: F8D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F35451B0432h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 jmp 00007F35451B0430h 0x00000019 pop esi 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F35451B0426h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D62F second address: F8D641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3E9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D71D second address: F8D738 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F35451B0428h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F35451B042Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DFE3 second address: F8E022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e jmp 00007F3544BE3EA2h 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d jl 00007F3544BE3E98h 0x00000023 push edi 0x00000024 pop edi 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jc 00007F3544BE3E96h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E022 second address: F8E028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E0EB second address: F8E0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E0EF second address: F8E10C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B0439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E10C second address: F8E16C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3544BE3E9Dh 0x00000008 jmp 00007F3544BE3E9Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 sbb dx, D94Fh 0x00000018 lea eax, dword ptr [ebp+12483BB7h] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F3544BE3E98h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 add dword ptr [ebp+122D2415h], esi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jo 00007F3544BE3E96h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E16C second address: F8E170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E170 second address: F8E176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E176 second address: F8E1EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F35451B0426h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F35451B0428h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 lea eax, dword ptr [ebp+12483B73h] 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F35451B0428h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 and ecx, 60CFDAC1h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F35451B0438h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E1EA second address: F6B7E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov cx, F2CAh 0x00000010 call dword ptr [ebp+122D1F21h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 jmp 00007F3544BE3E9Fh 0x00000026 push esi 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBED5F second address: FBED7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F35451B0426h 0x0000000a push ebx 0x0000000b jmp 00007F35451B0433h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBEF28 second address: FBEF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF1BF second address: FBF1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF1C3 second address: FBF1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF1CC second address: FBF1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF1D7 second address: FBF1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF1DD second address: FBF1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B042Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF4E5 second address: FBF506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3544BE3EA5h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF506 second address: FBF50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF50C second address: FBF512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF512 second address: FBF517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF517 second address: FBF52E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3544BE3EA3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF683 second address: FBF69B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B042Ah 0x00000007 jng 00007F35451B0426h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF69B second address: FBF69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF69F second address: FBF6A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF6A7 second address: FBF6F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3544BE3EA5h 0x00000008 jbe 00007F3544BE3E96h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F3544BE3EA1h 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push edi 0x00000021 jmp 00007F3544BE3E9Fh 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B996 second address: F4B99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B99D second address: F4B9B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3544BE3EA2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBC93 second address: FCBCA2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCBCA2 second address: FCBCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC1D1 second address: FCC1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B0430h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC364 second address: FCC37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC917 second address: FCC91D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC91D second address: FCC945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA7h 0x00000007 jg 00007F3544BE3E96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCCBE2 second address: FCCBE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFD70 second address: FCFD76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFD76 second address: FCFD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF917 second address: FCF91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF91F second address: FCF925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA66 second address: FCFA8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA6h 0x00000007 js 00007F3544BE3E96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA8C second address: FCFA96 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F35451B0426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFA96 second address: FCFAA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3544BE3E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7B7A second address: FD7B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7B80 second address: FD7B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7B84 second address: FD7BAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B042Eh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 jmp 00007F35451B042Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7BAA second address: FD7BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7BB0 second address: FD7BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD727E second address: FD729E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3544BE3EA1h 0x00000009 jp 00007F3544BE3E96h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD729E second address: FD72A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F35451B0426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD72A8 second address: FD72AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD72AC second address: FD72BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 jno 00007F35451B0426h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD72BD second address: FD72D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F3544BE3EA2h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD72D8 second address: FD72ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B0431h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD72ED second address: FD72F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD75BD second address: FD75CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F35451B0426h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA647 second address: FDA64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA64C second address: FDA652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA652 second address: FDA656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA656 second address: FDA679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B0433h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA679 second address: FDA6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F3544BE3EA8h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F3544BE3EA3h 0x00000013 jnl 00007F3544BE3E96h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA977 second address: FDA98E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F35451B042Ch 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA98E second address: FDA99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA99A second address: FDA9A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE069A second address: FE069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE069F second address: FE06A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF098 second address: FDF09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF09E second address: FDF0A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF373 second address: FDF379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF638 second address: FDF650 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F35451B042Ch 0x00000008 js 00007F35451B0426h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F35451B0426h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF650 second address: FDF654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DA33 second address: F8DA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DA37 second address: F8DA3D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DA3D second address: F8DA43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DA43 second address: F8DA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF945 second address: FDF949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF949 second address: FDF959 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3544BE3E96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5B47 second address: FE5B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B042Fh 0x00000009 popad 0x0000000a jmp 00007F35451B0433h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F35451B042Eh 0x00000018 jg 00007F35451B0426h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5B7F second address: FE5B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3544BE3E9Fh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6748 second address: FE674D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6A0A second address: FE6A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6A0E second address: FE6A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6A1A second address: FE6A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6CD9 second address: FE6CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7554 second address: FE7579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3544BE3E96h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F3544BE3EA5h 0x00000011 popad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7579 second address: FE7580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7580 second address: FE75B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3544BE3E9Dh 0x00000008 jmp 00007F3544BE3EA3h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3544BE3E9Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE75B7 second address: FE75BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7878 second address: FE7893 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3544BE3EA4h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F3544BE3E9Ch 0x0000000f push esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7893 second address: FE78B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F35451B0437h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44DFA second address: F44E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44E0E second address: F44E13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44E13 second address: F44E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3544BE3E96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F3544BE3E9Bh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop eax 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDD33 second address: FEDD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B0433h 0x00000009 je 00007F35451B0426h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F35451B0426h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDD5B second address: FEDD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDD5F second address: FEDD77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35451B0434h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDD77 second address: FEDD7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDD7C second address: FEDD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B0430h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F35451B0426h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F48402 second address: F48419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3544BE3E96h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jbe 00007F3544BE3E9Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F48419 second address: F4841F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4841F second address: F4842E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3E9Ah 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED02A second address: FED030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED13F second address: FED150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop eax 0x0000000d push edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED3AD second address: FED3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F35451B0426h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED6D6 second address: FED6DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED6DA second address: FED6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007F35451B0458h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED6EB second address: FED6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED6F1 second address: FED6F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED6F5 second address: FED6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED8AD second address: FED8D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F35451B0439h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007F35451B042Eh 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA2B second address: FEDA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA33 second address: FEDA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F35451B0426h 0x0000000d jmp 00007F35451B042Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA4B second address: FEDA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA4F second address: FEDAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jc 00007F35451B0426h 0x0000000d jl 00007F35451B0426h 0x00000013 pop edi 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007F35451B0436h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f jno 00007F35451B0434h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F35451B0430h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDAA7 second address: FEDAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF278F second address: FF279E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 js 00007F35451B042Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA1EA second address: FFA1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA532 second address: FFA55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F35451B0428h 0x0000000d pushad 0x0000000e jmp 00007F35451B0433h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA982 second address: FFA99C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F3544BE3E96h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F3544BE3E96h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAAAD second address: FFAAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F35451B0426h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAAB9 second address: FFAABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAABE second address: FFAAC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAC88 second address: FFAC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAC8E second address: FFAC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007F35451B042Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAC9B second address: FFACB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3544BE3E98h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3544BE3E9Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFACB9 second address: FFACBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB417 second address: FFB41D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB41D second address: FFB435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F35451B042Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB435 second address: FFB439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBBB9 second address: FFBBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9943 second address: FF994F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3544BE3E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF994F second address: FF9954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10017C9 second address: 10017CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10017CF second address: 10017D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10017D3 second address: 10017F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3544BE3EA9h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10017F8 second address: 10017FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10012DA second address: 1001310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3544BE3EA5h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3544BE3EA0h 0x00000011 jmp 00007F3544BE3E9Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100148D second address: 1001491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001491 second address: 100149F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F3544BE3E9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100149F second address: 10014AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F35451B0430h 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002F29 second address: 1002F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002F2D second address: 1002F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007F35451B0426h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 jmp 00007F35451B042Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10114B6 second address: 10114CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3544BE3EA3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10114CD second address: 10114D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010E3E second address: 1010E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3544BE3E96h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010FA8 second address: 1010FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010FAD second address: 1010FCA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3544BE3E9Ch 0x00000008 jo 00007F3544BE3E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jp 00007F3544BE3ED0h 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010FCA second address: 1010FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B042Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F35451B0438h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10131B2 second address: 10131C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F3544BE3E96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C3C5 second address: 101C3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025C06 second address: 1025C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3544BE3E9Ch 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A042 second address: 102A055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B042Bh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A055 second address: 102A05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A7D3 second address: 102A7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F35451B0426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A7DD second address: 102A805 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F3544BE3E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F3544BE3E9Ch 0x00000012 jmp 00007F3544BE3E9Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FD3A second address: 102FD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FD41 second address: 102FD4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103214A second address: 1032158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B042Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032158 second address: 103215C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034455 second address: 1034465 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F35451B0426h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A930 second address: 103A94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F3544BE3EA0h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A94E second address: 103A967 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F35451B042Fh 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A967 second address: 103A96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10473E1 second address: 1047421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35451B042Ah 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F35451B0439h 0x00000010 jmp 00007F35451B0430h 0x00000015 jno 00007F35451B0426h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047421 second address: 1047436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jnp 00007F3544BE3E96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054A56 second address: 1054A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F35451B0439h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054A74 second address: 1054A94 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F3544BE3E9Ch 0x00000011 jne 00007F3544BE3E96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054A94 second address: 1054A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054A9E second address: 1054AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A501 second address: 106A507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A507 second address: 106A50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069317 second address: 106931B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069602 second address: 1069620 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3544BE3E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3544BE3EA1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10698E0 second address: 10698E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10698E6 second address: 10698ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10698ED second address: 10698F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069C23 second address: 1069C43 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3544BE3E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3544BE3EA0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069C43 second address: 1069C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069DA3 second address: 1069DAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E770 second address: 106E774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E940 second address: 106E999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3544BE3EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3544BE3EA1h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 jo 00007F3544BE3E9Eh 0x00000018 push edx 0x00000019 jl 00007F3544BE3E96h 0x0000001f pop edx 0x00000020 push dword ptr [ebp+122D2410h] 0x00000026 push edx 0x00000027 mov dword ptr [ebp+1246FE2Fh], edx 0x0000002d pop edx 0x0000002e push 1CBE0968h 0x00000033 push eax 0x00000034 push edx 0x00000035 jnc 00007F3544BE3E9Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E999 second address: 106E99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E99D second address: 106E9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E9A3 second address: 106E9A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E9A7 second address: 106E9AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107184A second address: 107184E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107184E second address: 1071856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071856 second address: 107185B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073432 second address: 107344A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F3544BE3E9Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107344A second address: 1073461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F35451B042Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DDC8E2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DDA33A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F8CF80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1004582 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 788Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2648Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1350930893.0000000001691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1350050559.0000000001691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1350050559.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1350930893.0000000001657000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
Source: file.exe, 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBDF70 LdrInitializeThunk,0_2_00DBDF70
Source: file.exe, file.exe, 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: z9Program Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://occupy-blushi.sbs/api_100%Avira URL Cloudmalware
https://occupy-blushi.sbs/&100%Avira URL Cloudmalware
https://occupy-blushi.sbs/f100%Avira URL Cloudmalware
https://occupy-blushi.sbs/apiUs100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
occupy-blushi.sbs
172.67.187.240
truefalse
    		high
    property-imper.sbs
    		unknown
    		unknownfalse
      		high
      frogs-severz.sbs
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://occupy-blushi.sbs/apifalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://occupy-blushi.sbs/api_file.exe, 00000000.00000002.1350883536.000000000162E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://crl.microfile.exe, 00000000.00000003.1350217159.00000000016DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1350050559.0000000001691000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://occupy-blushi.sbs/file.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://occupy-blushi.sbs/apiUsfile.exe, 00000000.00000003.1350050559.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://occupy-blushi.sbs/&file.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://occupy-blushi.sbs/ffile.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              172.67.187.240
              		occupy-blushi.sbsUnited States
              		13335CLOUDFLARENETUSfalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1562674
              Start date and time:2024-11-25 21:26:10 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 44s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal100.evad.winEXE@1/0@3/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: file.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:27:13API Interceptor3x Sleep call for process: file.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              172.67.187.240file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                file.exeGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousLummaC StealerBrowse
                    file.exeGet hashmaliciousUnknownBrowse
                      file.exeGet hashmaliciousLummaC StealerBrowse
                        file.exeGet hashmaliciousUnknownBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          occupy-blushi.sbsfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 104.21.7.169
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 104.21.7.169
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 193.143.1.19

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUShttps://Saic.anastaclooverseas.com/zwfgemvfcbcitui/xivyvjldaquzs/Zgktmgjdfgpirwe89g0xmaersk/ixiswwcbzmfgee/jebqtppyunp/random.bby/inpoxqhfiww/gmail.com/ozwunijponqp8Get hashmaliciousUnknownBrowse
                          • 104.21.71.35
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 172.67.187.240
                          Fumari INC.emlGet hashmaliciousUnknownBrowse
                          • 104.18.11.200
                          https://invites-doc.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                          • 104.21.4.141
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          Fumari INC.emlGet hashmaliciousUnknownBrowse
                          • 104.18.11.200
                          http://www.thecrownstate.co.uk/Get hashmaliciousUnknownBrowse
                          • 104.21.19.197
                          https://sites.google.com/ceqy.com/rfp/homeGet hashmaliciousHTMLPhisherBrowse
                          • 104.21.68.132
                          https://yancesybros.com/WHF9842BVD.htmlGet hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          Orden de compra HO-PO-376-25.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                          • 172.67.74.152

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 172.67.187.240
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.240
                          pJKrbGSI.ps1Get hashmaliciousLummaCBrowse
                          • 172.67.187.240

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.947954940236612
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'850'880 bytes
                          MD5:339b28fd2dbb4a572a4fc6b7207448d7
                          SHA1:d6ca6c0291a42d08bf0cdd9e8b528ee2ac90f0d8
                          SHA256:dcfcbcb7ccf29f1ef5e01d31ed51789783c2e2a3ab2a77543cde49479556ae37
                          SHA512:61527fb19bafcb69cd612f44f7a1fa0fc89e1ef68053cb81e78551a50e65477a2f9b8840b4a85c8896449dc1d0c84d123a798b00b0f0ed8f4141d444812e4796
                          SSDEEP:24576:1hhHkf/955G4RlyaZuG8zPVqNAZLXXAoSNfQ/DIrLqqrxh3eF6URMgevUaklfJ:1PmvmaoG8LkAdXs3Lqqr4B41kn
                          TLSH:1485332C5DB5BA20DFA24F356AAED397746DD830886924D8C01B1C1ADD3DCBFA20427D
                          File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................I...........@...........................I...........@.................................\...p..

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x898000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F3544BFD52Ah
                          hint_nop dword ptr [eax+eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F3544BFF525h
                          add byte ptr [0000000Ah], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edi], bl
                          add byte ptr [eax+000000FEh], ah
                          add byte ptr [edx], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], cl
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+00000000h], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [eax+00000000h], eax
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edx], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [eax+00000000h], eax
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x560000x262006032ff6adb6fe9a1dc52c1052da302abFalse0.9992891905737705data7.980607909553371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x570000x2b00x200601aaf2ddc8432fda84ba533f53f8c27False0.794921875data6.0287096467681955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x590000x2a40000x200943b1c1c1dc64f42b49de8bb838966dfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          chjhfqsw0x2fd0000x19a0000x19a00088a2ca153b5679506e1928f6f1834250False0.9945550685975609data7.953813779228934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          ygjmzgca0x4970000x10000x4005791bb79a6cc56df0026560dcebd3296False0.7958984375data6.163179520062843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x4980000x30000x2200a30ec3b9dac1c4a14eac599c761fb0c2False0.06456801470588236DOS executable (COM)0.7048887987594693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x496be00x256ASCII text, with CRLF line terminators0.5100334448160535

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-25T21:27:16.124531+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701172.67.187.240443TCP
                          2024-11-25T21:27:16.819414+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749701172.67.187.240443TCP
                          2024-11-25T21:27:16.819414+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749701172.67.187.240443TCP
                          2024-11-25T21:27:18.018889+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703172.67.187.240443TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 25, 2024 21:27:14.888839960 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:14.888880014 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:14.888947010 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:14.901694059 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:14.901707888 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.124361038 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.124531031 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.127958059 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.127975941 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.128288984 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.174968958 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.188673973 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.188714981 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.188810110 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.819447994 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.819564104 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.819669962 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.821149111 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.821149111 CET49701443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.821171045 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.821180105 CET44349701172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.900747061 CET49703443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.900787115 CET44349703172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:16.900872946 CET49703443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.901227951 CET49703443192.168.2.7172.67.187.240
                          Nov 25, 2024 21:27:16.901241064 CET44349703172.67.187.240192.168.2.7
                          Nov 25, 2024 21:27:18.018888950 CET49703443192.168.2.7172.67.187.240

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 25, 2024 21:27:14.054586887 CET4970253192.168.2.71.1.1.1
                          Nov 25, 2024 21:27:14.274841070 CET53497021.1.1.1192.168.2.7
                          Nov 25, 2024 21:27:14.281172037 CET5438253192.168.2.71.1.1.1
                          Nov 25, 2024 21:27:14.595819950 CET53543821.1.1.1192.168.2.7
                          Nov 25, 2024 21:27:14.614350080 CET5367653192.168.2.71.1.1.1
                          Nov 25, 2024 21:27:14.860130072 CET53536761.1.1.1192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 25, 2024 21:27:14.054586887 CET192.168.2.71.1.1.10x87f3Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false
                          Nov 25, 2024 21:27:14.281172037 CET192.168.2.71.1.1.10x8dd0Standard query (0)frogs-severz.sbsA (IP address)IN (0x0001)false
                          Nov 25, 2024 21:27:14.614350080 CET192.168.2.71.1.1.10x4e18Standard query (0)occupy-blushi.sbsA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 25, 2024 21:27:14.274841070 CET1.1.1.1192.168.2.70x87f3Name error (3)property-imper.sbsnonenoneA (IP address)IN (0x0001)false
                          Nov 25, 2024 21:27:14.595819950 CET1.1.1.1192.168.2.70x8dd0Name error (3)frogs-severz.sbsnonenoneA (IP address)IN (0x0001)false
                          Nov 25, 2024 21:27:14.860130072 CET1.1.1.1192.168.2.70x4e18No error (0)occupy-blushi.sbs172.67.187.240A (IP address)IN (0x0001)false
                          Nov 25, 2024 21:27:14.860130072 CET1.1.1.1192.168.2.70x4e18No error (0)occupy-blushi.sbs104.21.7.169A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • occupy-blushi.sbs

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.749701172.67.187.2404436676C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          2024-11-25 20:27:16 UTC264OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 8
                          Host: occupy-blushi.sbs
                          2024-11-25 20:27:16 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                          Data Ascii: act=life
                          2024-11-25 20:27:16 UTC1015INHTTP/1.1 200 OK
                          Date: Mon, 25 Nov 2024 20:27:16 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=7mkoogghksf06cq2iagice326s; expires=Fri, 21-Mar-2025 14:13:55 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vax5xN%2FegDF%2Ftshy65vNvIrsnnw8gAhuBcx6hEzCS0%2F924MSDy0CVREp5lJBTRtjoF5dx6WvKHWK6PzviAvQyIIqgtiodeCXS0SL7E2bQOcj2JnWX29jOuEWfk2NnVdS3TCu7w%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8e8460e37ffa80e2-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1643&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1763285&cwnd=114&unsent_bytes=0&cid=67103e0cc00306ed&ts=710&x=0"
                          2024-11-25 20:27:16 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                          Data Ascii: 2ok
                          2024-11-25 20:27:16 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:15:27:11
                          Start date:25/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xd80000
                          File size:1'850'880 bytes
                          MD5 hash:339B28FD2DBB4A572A4FC6B7207448D7
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3.3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:66%
                            Total number of Nodes:238
                            Total number of Limit Nodes:13
                            execution_graph 6947 d8e0d8 6948 d8e100 6947->6948 6950 d8e16e 6948->6950 6963 dbdf70 LdrInitializeThunk 6948->6963 6952 d8e22e 6950->6952 6964 dbdf70 LdrInitializeThunk 6950->6964 6965 da5e90 6952->6965 6954 d8e29d 6973 da6190 6954->6973 6956 d8e2bd 6983 da7e20 6956->6983 6960 d8e2e6 7003 da8c90 6960->7003 6962 d8e2ef 6963->6950 6964->6952 6972 da5f30 6965->6972 6966 da60b5 6969 da1790 2 API calls 6966->6969 6967 da6026 7006 da1790 6967->7006 6971 da6020 6969->6971 6971->6954 6972->6966 6972->6967 6972->6971 7012 dc0f60 6972->7012 6974 da619e 6973->6974 7045 dc0b70 6974->7045 6976 dc0f60 2 API calls 6981 da5fe0 6976->6981 6977 da60b5 6980 da1790 2 API calls 6977->6980 6978 da6026 6982 da1790 2 API calls 6978->6982 6979 da6020 6979->6956 6980->6979 6981->6976 6981->6977 6981->6978 6981->6979 6982->6977 6984 da80a0 6983->6984 6985 da7e4c 6983->6985 6993 d8e2dd 6983->6993 6994 da80d7 6983->6994 7050 dbded0 6984->7050 6985->6984 6985->6985 6986 dc0f60 2 API calls 6985->6986 6988 dc0b70 LdrInitializeThunk 6985->6988 6985->6993 6985->6994 6986->6985 6988->6985 6989 dc0b70 LdrInitializeThunk 6989->6994 6992 dbdf70 LdrInitializeThunk 6992->6994 6995 da8770 6993->6995 6994->6989 6994->6992 6994->6993 7054 dc0c80 6994->7054 7062 dc1580 6994->7062 6996 da87a0 6995->6996 6997 da882e 6996->6997 7074 dbdf70 LdrInitializeThunk 6996->7074 6998 dbb7e0 RtlAllocateHeap 6997->6998 7002 da895e 6997->7002 7000 da88b1 6998->7000 7000->7002 7075 dbdf70 LdrInitializeThunk 7000->7075 7002->6960 7076 da8cb0 7003->7076 7005 da8c99 7005->6962 7007 da17a0 7006->7007 7007->7007 7008 da183e 7007->7008 7010 da1861 7007->7010 7020 dc0610 7007->7020 7008->6966 7010->7008 7024 da3d70 7010->7024 7014 dc0f90 7012->7014 7013 dc0fde 7015 dbb7e0 RtlAllocateHeap 7013->7015 7019 dc10ae 7013->7019 7014->7013 7043 dbdf70 LdrInitializeThunk 7014->7043 7017 dc101f 7015->7017 7017->7019 7044 dbdf70 LdrInitializeThunk 7017->7044 7019->6972 7021 dc0630 7020->7021 7022 dc075e 7021->7022 7036 dbdf70 LdrInitializeThunk 7021->7036 7022->7010 7025 dc0480 LdrInitializeThunk 7024->7025 7026 da3db0 7025->7026 7033 da44c3 7026->7033 7037 dbb7e0 7026->7037 7029 da3dee 7035 da3e7c 7029->7035 7040 dbdf70 LdrInitializeThunk 7029->7040 7030 da4427 7030->7033 7042 dbdf70 LdrInitializeThunk 7030->7042 7031 dbb7e0 RtlAllocateHeap 7031->7035 7033->7008 7035->7030 7035->7031 7041 dbdf70 LdrInitializeThunk 7035->7041 7036->7022 7038 dbb800 7037->7038 7038->7038 7039 dbb83f RtlAllocateHeap 7038->7039 7039->7029 7040->7029 7041->7035 7042->7030 7043->7013 7044->7019 7046 dc0b90 7045->7046 7047 dc0c4f 7046->7047 7049 dbdf70 LdrInitializeThunk 7046->7049 7047->6981 7049->7047 7051 dbdeea 7050->7051 7052 dbdf3e 7050->7052 7051->6994 7053 dbb7e0 RtlAllocateHeap 7052->7053 7053->7051 7055 dc0cb0 7054->7055 7056 dc0cfe 7055->7056 7070 dbdf70 LdrInitializeThunk 7055->7070 7058 dbb7e0 RtlAllocateHeap 7056->7058 7061 dc0e0f 7056->7061 7059 dc0d8b 7058->7059 7059->7061 7071 dbdf70 LdrInitializeThunk 7059->7071 7061->6994 7061->7061 7063 dc1591 7062->7063 7064 dc163e 7063->7064 7072 dbdf70 LdrInitializeThunk 7063->7072 7065 dbb7e0 RtlAllocateHeap 7064->7065 7068 dc17de 7064->7068 7067 dc16ae 7065->7067 7067->7068 7073 dbdf70 LdrInitializeThunk 7067->7073 7068->6994 7070->7056 7071->7061 7072->7064 7073->7068 7074->6997 7075->7002 7077 da8d10 7076->7077 7077->7077 7086 dbb8e0 7077->7086 7079 da8d6d 7079->7005 7081 da8d45 7081->7079 7084 da8e66 7081->7084 7094 dbbb20 7081->7094 7098 dbc040 7081->7098 7084->7084 7085 da8ece 7084->7085 7106 dbbfa0 7084->7106 7085->7005 7087 dbb900 7086->7087 7088 dbb93e 7087->7088 7110 dbdf70 LdrInitializeThunk 7087->7110 7089 dbb7e0 RtlAllocateHeap 7088->7089 7093 dbba1f 7088->7093 7091 dbb9c5 7089->7091 7091->7093 7111 dbdf70 LdrInitializeThunk 7091->7111 7093->7081 7095 dbbbce 7094->7095 7096 dbbb31 7094->7096 7095->7081 7096->7095 7112 dbdf70 LdrInitializeThunk 7096->7112 7100 dbc090 7098->7100 7099 dbc73e 7099->7081 7105 dbc0d8 7100->7105 7113 dbdf70 LdrInitializeThunk 7100->7113 7102 dbc6cf 7102->7099 7114 dbdf70 LdrInitializeThunk 7102->7114 7104 dbdf70 LdrInitializeThunk 7104->7105 7105->7099 7105->7102 7105->7104 7105->7105 7108 dbbfc0 7106->7108 7107 dbc00e 7107->7084 7108->7107 7115 dbdf70 LdrInitializeThunk 7108->7115 7110->7088 7111->7093 7112->7095 7113->7105 7114->7099 7115->7107 7140 d8e970 7141 d8e8b8 7140->7141 7143 d8e948 7141->7143 7144 dbdf70 LdrInitializeThunk 7141->7144 7143->7143 7144->7143 7145 d99130 7146 dbb8e0 2 API calls 7145->7146 7147 d99158 7146->7147 7184 d9db30 7185 d9db70 7184->7185 7186 d8b210 RtlAllocateHeap 7185->7186 7187 d9dda8 7186->7187 6925 d8ceb3 CoInitializeSecurity 6926 d8d7d3 CoUninitialize 6927 d8d7da 6926->6927 7135 d8dc33 7136 d8dcd0 7135->7136 7136->7136 7137 d8dd4e 7136->7137 7139 dbdf70 LdrInitializeThunk 7136->7139 7139->7137 7188 d8c32b 7189 dbded0 RtlAllocateHeap 7188->7189 7190 d8c338 7189->7190 7127 d8e88f 7128 d8e88e 7127->7128 7128->7127 7130 d8e89c 7128->7130 7133 dbdf70 LdrInitializeThunk 7128->7133 7132 d8e948 7130->7132 7134 dbdf70 LdrInitializeThunk 7130->7134 7133->7130 7134->7132 6874 d889a0 6878 d889af 6874->6878 6875 d88cb3 ExitProcess 6876 d88cae 6883 dbdeb0 6876->6883 6878->6875 6878->6876 6882 d8ce80 CoInitializeEx 6878->6882 6886 dbf460 6883->6886 6885 dbdeb5 FreeLibrary 6885->6875 6887 dbf469 6886->6887 6887->6885 7179 d8dfe0 7181 d8e010 7179->7181 7180 d8e081 7181->7180 7183 dbdf70 LdrInitializeThunk 7181->7183 7183->7180 7158 d8a2e1 7159 d8a3d0 7158->7159 7159->7159 7162 d8b210 7159->7162 7164 d8b2a0 7162->7164 7163 dbded0 RtlAllocateHeap 7163->7164 7164->7163 7165 d8a3fe 7164->7165 6888 da1960 6889 da19d8 6888->6889 6894 d99530 6889->6894 6891 da1a84 6892 d99530 LdrInitializeThunk 6891->6892 6893 da1b29 6892->6893 6895 d99560 6894->6895 6895->6895 6906 dc0480 6895->6906 6897 d9962e 6898 d99756 6897->6898 6899 d9974b 6897->6899 6901 dc0480 LdrInitializeThunk 6897->6901 6902 d996ca 6897->6902 6904 d99783 6897->6904 6898->6902 6898->6904 6910 dc0880 6898->6910 6916 dc07b0 6899->6916 6901->6897 6902->6891 6904->6902 6920 dbdf70 LdrInitializeThunk 6904->6920 6908 dc04a0 6906->6908 6907 dc05be 6907->6897 6908->6907 6921 dbdf70 LdrInitializeThunk 6908->6921 6911 dc08b0 6910->6911 6914 dc08fe 6911->6914 6922 dbdf70 LdrInitializeThunk 6911->6922 6912 dc09ae 6912->6904 6914->6912 6923 dbdf70 LdrInitializeThunk 6914->6923 6918 dc07e0 6916->6918 6917 dc082e 6917->6898 6918->6917 6924 dbdf70 LdrInitializeThunk 6918->6924 6920->6902 6921->6907 6922->6914 6923->6912 6924->6917 6928 dbb7e0 6929 dbb800 6928->6929 6929->6929 6930 dbb83f RtlAllocateHeap 6929->6930 7116 dbbce0 7117 dbbd5a 7116->7117 7118 dbbcf2 7116->7118 7118->7117 7120 dbbd52 7118->7120 7124 dbdf70 LdrInitializeThunk 7118->7124 7121 dbbede 7120->7121 7125 dbdf70 LdrInitializeThunk 7120->7125 7121->7117 7126 dbdf70 LdrInitializeThunk 7121->7126 7124->7120 7125->7121 7126->7117 7148 dc02c0 7149 dc02e0 7148->7149 7149->7149 7150 dc041e 7149->7150 7152 dbdf70 LdrInitializeThunk 7149->7152 7152->7150 7171 dc0a00 7172 dc0a30 7171->7172 7172->7172 7175 dc0a7e 7172->7175 7177 dbdf70 LdrInitializeThunk 7172->7177 7174 dc0b2e 7175->7174 7178 dbdf70 LdrInitializeThunk 7175->7178 7177->7175 7178->7174 6931 d8cf05 6932 d8cf20 6931->6932 6937 db9030 6932->6937 6934 d8cf7a 6935 db9030 5 API calls 6934->6935 6936 d8d3ca 6935->6936 6939 db9090 6937->6939 6938 db966a 6940 db969c GetVolumeInformationW 6938->6940 6939->6938 6939->6939 6941 db91b1 SysAllocString 6939->6941 6945 db96ba 6940->6945 6942 db91df 6941->6942 6942->6938 6943 db91ea CoSetProxyBlanket 6942->6943 6943->6938 6946 db920a 6943->6946 6944 db9658 SysFreeString SysFreeString 6944->6938 6945->6934 6946->6944

                            Executed Functions

                            Function 00DB9030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 db9030-db9089 1 db9090-db90c6 0->1 1->1 2 db90c8-db90e4 1->2 4 db90f1-db913f 2->4 5 db90e6 2->5 7 db968c-db96b8 call dbf9a0 GetVolumeInformationW 4->7 8 db9145-db9177 4->8 5->4 13 db96ba 7->13 14 db96bc-db96df call da0650 7->14 10 db9180-db91af 8->10 10->10 12 db91b1-db91e4 SysAllocString 10->12 18 db91ea-db9204 CoSetProxyBlanket 12->18 19 db9674-db9688 12->19 13->14 22 db96e0-db96e8 14->22 20 db966a-db9670 18->20 21 db920a-db9225 18->21 19->7 20->19 23 db9230-db9262 21->23 22->22 24 db96ea-db96ec 22->24 23->23 26 db9264-db92df 23->26 27 db96fe-db972d call da0650 24->27 28 db96ee-db96fb call d88330 24->28 36 db92e0-db930b 26->36 35 db9730-db9738 27->35 28->27 35->35 37 db973a-db973c 35->37 36->36 38 db930d-db933d 36->38 39 db974e-db977d call da0650 37->39 40 db973e-db974b call d88330 37->40 49 db9658-db9668 SysFreeString * 2 38->49 50 db9343-db9365 38->50 46 db9780-db9788 39->46 40->39 46->46 48 db978a-db978c 46->48 51 db979e-db97cb call da0650 48->51 52 db978e-db979b call d88330 48->52 49->20 57 db964b-db9655 50->57 58 db936b-db936e 50->58 60 db97d0-db97d8 51->60 52->51 57->49 58->57 61 db9374-db9379 58->61 60->60 63 db97da-db97dc 60->63 61->57 62 db937f-db93cf 61->62 69 db93d0-db9416 62->69 65 db97ee-db97f5 63->65 66 db97de-db97eb call d88330 63->66 66->65 69->69 71 db9418-db942d 69->71 72 db9431-db9433 71->72 73 db9439-db943f 72->73 74 db9636-db9647 72->74 73->74 75 db9445-db9452 73->75 74->57 77 db948d 75->77 78 db9454-db9459 75->78 79 db948f-db94b7 call d882b0 77->79 80 db946c-db9470 78->80 90 db95e8-db95f9 79->90 91 db94bd-db94cb 79->91 83 db9472-db947b 80->83 84 db9460 80->84 87 db947d-db9480 83->87 88 db9482-db9486 83->88 86 db9461-db946a 84->86 86->79 86->80 87->86 88->86 89 db9488-db948b 88->89 89->86 93 db95fb 90->93 94 db9600-db960c 90->94 91->90 92 db94d1-db94d5 91->92 95 db94e0-db94ea 92->95 93->94 96 db960e 94->96 97 db9613-db9633 call d882e0 call d882c0 94->97 98 db94ec-db94f1 95->98 99 db9500-db9506 95->99 96->97 97->74 101 db9590-db9596 98->101 102 db9508-db950b 99->102 103 db9525-db9533 99->103 105 db9598-db959e 101->105 102->103 106 db950d-db9523 102->106 107 db95aa-db95b3 103->107 108 db9535-db9538 103->108 105->90 111 db95a0-db95a2 105->111 106->101 112 db95b9-db95bc 107->112 113 db95b5-db95b7 107->113 108->107 114 db953a-db9581 108->114 111->95 115 db95a8 111->115 116 db95be-db95e2 112->116 117 db95e4-db95e6 112->117 113->105 114->101 115->90 116->101 117->101
                            APIs
                            • SysAllocString.OLEAUT32(13C511C2), ref: 00DB91B7
                            • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00DB91FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: AllocBlanketProxyString
                            • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                            • API String ID: 900851650-4011188741
                            • Opcode ID: 7d440533c71bb56e8b83df021d1046efd5dc48a0edb372bc461201ff5977d025
                            • Instruction ID: e3544d2b50ef1ed025634fc1733d4cf89b9642db9ef14dfef12ae8bf26a6642b
                            • Opcode Fuzzy Hash: 7d440533c71bb56e8b83df021d1046efd5dc48a0edb372bc461201ff5977d025
                            • Instruction Fuzzy Hash: 762243719083419BE320CF24CC91B9BFBE6EF95314F188A1CF6969B281D774D905CBA2
                            Function 00D8CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 118 d8cf05-d8cf12 119 d8cf20-d8cf5c 118->119 119->119 120 d8cf5e-d8cfa5 call d88930 call db9030 119->120 125 d8cfb0-d8cffc 120->125 125->125 126 d8cffe-d8d06b 125->126 127 d8d070-d8d097 126->127 127->127 128 d8d099-d8d0aa 127->128 129 d8d0cb-d8d0d3 128->129 130 d8d0ac-d8d0b3 128->130 132 d8d0eb-d8d0f8 129->132 133 d8d0d5-d8d0d6 129->133 131 d8d0c0-d8d0c9 130->131 131->129 131->131 135 d8d0fa-d8d101 132->135 136 d8d11b-d8d123 132->136 134 d8d0e0-d8d0e9 133->134 134->132 134->134 137 d8d110-d8d119 135->137 138 d8d13b-d8d266 136->138 139 d8d125-d8d126 136->139 137->136 137->137 140 d8d270-d8d2ce 138->140 141 d8d130-d8d139 139->141 140->140 142 d8d2d0-d8d2ff 140->142 141->138 141->141 143 d8d300-d8d31a 142->143 143->143 144 d8d31c-d8d36b call d8b960 143->144 147 d8d370-d8d3ac 144->147 147->147 148 d8d3ae-d8d3c5 call d88930 call db9030 147->148 152 d8d3ca-d8d3eb 148->152 153 d8d3f0-d8d43c 152->153 153->153 154 d8d43e-d8d4ab 153->154 155 d8d4b0-d8d4d7 154->155 155->155 156 d8d4d9-d8d4ea 155->156 157 d8d4fb-d8d503 156->157 158 d8d4ec-d8d4ef 156->158 160 d8d51b-d8d528 157->160 161 d8d505-d8d506 157->161 159 d8d4f0-d8d4f9 158->159 159->157 159->159 163 d8d52a-d8d531 160->163 164 d8d54b-d8d557 160->164 162 d8d510-d8d519 161->162 162->160 162->162 165 d8d540-d8d549 163->165 166 d8d559-d8d55a 164->166 167 d8d56b-d8d696 164->167 165->164 165->165 168 d8d560-d8d569 166->168 169 d8d6a0-d8d6fe 167->169 168->167 168->168 169->169 170 d8d700-d8d72f 169->170 171 d8d730-d8d74a 170->171 171->171 172 d8d74c-d8d791 call d8b960 171->172
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: ()$+S7U$,_"Q$0C%E$7W"i$;[*]$<KuM$DF697845F9E2745CD7CBBD6DF28D3732$N3F5$S7HI$occupy-blushi.sbs$y?O1$c]e$gy
                            • API String ID: 0-1522842041
                            • Opcode ID: 2d271ebd3dfd002542daca8e0144abebdded9624ad47925e5aa13b2949f935c2
                            • Instruction ID: 93d4c599f77a277905dcf52e30a941f8092210fdd1bf6c274143e0fe6f37d7d0
                            • Opcode Fuzzy Hash: 2d271ebd3dfd002542daca8e0144abebdded9624ad47925e5aa13b2949f935c2
                            • Instruction Fuzzy Hash: 1012FDB15483C18ED3358F25D495BEFBBE2EBD2304F18895CC4DA5B296C775090ACBA2
                            Function 00D889A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 203 d889a0-d889b1 call dbcb70 206 d88cb3-d88cbb ExitProcess 203->206 207 d889b7-d889cf call db6620 203->207 211 d88cae call dbdeb0 207->211 212 d889d5-d889fb 207->212 211->206 216 d889fd-d889ff 212->216 217 d88a01-d88bda 212->217 216->217 219 d88c8a-d88ca2 call d89ed0 217->219 220 d88be0-d88c50 217->220 219->211 225 d88ca4 call d8ce80 219->225 221 d88c52-d88c54 220->221 222 d88c56-d88c88 220->222 221->222 222->219 227 d88ca9 call d8b930 225->227 227->211
                            APIs
                            • ExitProcess.KERNEL32(00000000), ref: 00D88CB5
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: a3f4b01fe862b5dacf246f8a75829f8bd51aa962ecf33f39f305ace97564e467
                            • Instruction ID: 1bf13e32fb4f53ad25792773e82ba47aff7eca77b469fd6b1164718436655fcd
                            • Opcode Fuzzy Hash: a3f4b01fe862b5dacf246f8a75829f8bd51aa962ecf33f39f305ace97564e467
                            • Instruction Fuzzy Hash: 19710473B547044BC708DEBAD89235AFAD2ABC8710F0DD83DA889D7390EEB89C054795
                            Function 00DBDF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 234 dbdf70-dbdfa2 LdrInitializeThunk
                            APIs
                            • LdrInitializeThunk.NTDLL(00DBBA46,?,00000010,00000005,00000000,?,00000000,?,?,00D99158,?,?,00D919B4), ref: 00DBDF9E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                            • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                            • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                            • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                            Function 00DBB7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 229 dbb7e0-dbb7ff 230 dbb800-dbb83d 229->230 230->230 231 dbb83f-dbb85b RtlAllocateHeap 230->231
                            APIs
                            • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00DBB84E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: c00b625cb6aedd8690ed0dfab0f35c3baa3c2811e61f48153e834c43e6b7eb24
                            • Instruction ID: 5ee56de3989c1697f43d1bf10b48fa01da5fea43ddc16716f972d503c9cdd363
                            • Opcode Fuzzy Hash: c00b625cb6aedd8690ed0dfab0f35c3baa3c2811e61f48153e834c43e6b7eb24
                            • Instruction Fuzzy Hash: 4E019933A457080BC300AF7CDCD469ABB96EFD9324F2A467DE5D4873D0DA31990AC295
                            Function 00D8CE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 232 d8ce80-d8ceb0 CoInitializeEx
                            APIs
                            • CoInitializeEx.COMBASE(00000000,00000002), ref: 00D8CE94
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: f077e43897807f02b468d3895b0410b327bb2bd2b7042058a70c70e703636fd0
                            • Instruction ID: 6667e3e545ae3d38dd16c9458387b2f8ba8e337542aad91727576cecb7ce9072
                            • Opcode Fuzzy Hash: f077e43897807f02b468d3895b0410b327bb2bd2b7042058a70c70e703636fd0
                            • Instruction Fuzzy Hash: F4D0A7212A034A77E114A22CEC57F27325DC702754F440626F6A2DA3D2D951A916A077
                            Function 00D8CEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 233 d8ceb3-d8cee2 CoInitializeSecurity
                            APIs
                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00D8CEC6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeSecurity
                            • String ID:
                            • API String ID: 640775948-0
                            • Opcode ID: debff45cf96007146f044ea97e6fd95bcb032c6717c946d5ee755228a0f18b23
                            • Instruction ID: f6d5a78a29c14234afce692fc06bf80b93a75945ea5d87c372eef84a9acd25cd
                            • Opcode Fuzzy Hash: debff45cf96007146f044ea97e6fd95bcb032c6717c946d5ee755228a0f18b23
                            • Instruction Fuzzy Hash: F8D0C9313D4343BAF96886089C53F1022058705F29F340A08B332FE3D1CCD0B1428518
                            Function 00D8D7D3 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 265 d8d7d3-d8d7d8 CoUninitialize 266 d8d7da-d8d7e1 265->266
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: Uninitialize
                            • String ID:
                            • API String ID: 3861434553-0
                            • Opcode ID: 16fe2eebee18882263dc378fbe18f9783be80f5ba620bbafdd7680db7409119d
                            • Instruction ID: 64c1c76747dac98cf07f7ee528d8371df797e86caa126fa0fe462e79efaf3032
                            • Opcode Fuzzy Hash: 16fe2eebee18882263dc378fbe18f9783be80f5ba620bbafdd7680db7409119d
                            • Instruction Fuzzy Hash: 09A02437F10014445F4000F47C010DDF310D1C00377100373C31CC1400D533113501C1

                            Non-executed Functions

                            Function 00DA3D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                            • API String ID: 1279760036-1524723224
                            • Opcode ID: 7a919959b8f08d0c3b1f09e08b0679f250babaaba259fde95b43d3d3ff1dc05a
                            • Instruction ID: d1f29b688348e970d5587e763f40d1d942300eda3de78c0df25d36b571bd8129
                            • Opcode Fuzzy Hash: 7a919959b8f08d0c3b1f09e08b0679f250babaaba259fde95b43d3d3ff1dc05a
                            • Instruction Fuzzy Hash: 66227CB150C3808FD7259F28C4943AEBBE1ABD6314F18492DE5D987392D7BAC845CB63
                            Function 00D894D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                            • API String ID: 0-1787199350
                            • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                            • Instruction ID: 4d529121fc66516adc8be685d4832fe26e47cbe64fc16c2ac3b3c1c27f1f13bb
                            • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                            • Instruction Fuzzy Hash: 30B1B37010C3818FD3159F2984607ABFFE1AB97754F1C49ACE4D58B392D779890ACBA2
                            Function 00D898F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: DF697845F9E2745CD7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                            • API String ID: 0-804455393
                            • Opcode ID: 5c7934f6d6dd819d54551179189dd321363f3773b40782e3abfe363a7436ad28
                            • Instruction ID: 4b5cef6f46817302c772ea84da6ead2db05340a9a65b7de317ad9bf6f392476f
                            • Opcode Fuzzy Hash: 5c7934f6d6dd819d54551179189dd321363f3773b40782e3abfe363a7436ad28
                            • Instruction Fuzzy Hash: 17E15AB2A483508BD328DF35C89176BFBE2EBD1314F198A2DE5E58B395D634C805CB52
                            Function 00F3CA22 Relevance: 9.2, Strings: 6, Instructions: 1659COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: #&}$Cdy~$T;$]tk$o w|$t:K
                            • API String ID: 0-2803342273
                            • Opcode ID: abdf4c25606f55e3ce5d940840e1e9316043f006d2fc626a295817ae4c1e44af
                            • Instruction ID: 9960daddcdfd13f09a6a4c4594aab4b01f1988b613489f80d2c30a2e83bab942
                            • Opcode Fuzzy Hash: abdf4c25606f55e3ce5d940840e1e9316043f006d2fc626a295817ae4c1e44af
                            • Instruction Fuzzy Hash: 67B25AF3A0C2009FE7086E2DEC5567ABBD9EF94360F1A463DEAC5C3744E93598048697
                            Function 00F3E58A Relevance: 9.1, Strings: 6, Instructions: 1605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: Fv=$&Hi?$1&^^$4Q~$:nyz${EO
                            • API String ID: 0-1242577052
                            • Opcode ID: 794567f64b1a2dfcbea7f0a6e3f131517517f8bff631869c1a878a7b5f5ec99d
                            • Instruction ID: 540c5459f33555489ab06f526060a6f3902e0917d40613720a0da569150da5f9
                            • Opcode Fuzzy Hash: 794567f64b1a2dfcbea7f0a6e3f131517517f8bff631869c1a878a7b5f5ec99d
                            • Instruction Fuzzy Hash: 78B2E3F3A082009FE704AE2DEC8577AF7E9EF94720F1A893DE6C483744E63558058697
                            Function 00F4D8D8 Relevance: 9.1, Strings: 6, Instructions: 1575COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1Il$GNx_$GNx_$[L{_$q./?$q~qf
                            • API String ID: 0-2157396325
                            • Opcode ID: 65c2a7b43e4308a1afda80cc370f0afe4fc88d173b55c657b8fc1fd41748c733
                            • Instruction ID: a2bb16c76a1ace0cf145dbffdb0febfe994c3f50a807001fee48ab6a397a959c
                            • Opcode Fuzzy Hash: 65c2a7b43e4308a1afda80cc370f0afe4fc88d173b55c657b8fc1fd41748c733
                            • Instruction Fuzzy Hash: 8EB2E5F350C3049FE304AE29EC8567AFBE9EF94720F1A893DEAC583744E63558058697
                            Function 00D9DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                            • API String ID: 0-3274379026
                            • Opcode ID: 15e662bed41bde6438c424e01886087067c944aa5a6ed4ca502e15da28c89bd8
                            • Instruction ID: d68a0983f4329b07b36e9c340243ec72f74e64cf387521f9e567e06935f8d6f6
                            • Opcode Fuzzy Hash: 15e662bed41bde6438c424e01886087067c944aa5a6ed4ca502e15da28c89bd8
                            • Instruction Fuzzy Hash: A05145725183518BD720CF25C8906ABB7F2FFD6311F18995CE8C18B295EB748906C7A2
                            Function 00F41B93 Relevance: 7.9, Strings: 5, Instructions: 1650COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: %%w3$3{$L:g$S~$nts
                            • API String ID: 0-801547732
                            • Opcode ID: 4b80d4bdc99d9010955dfa8edb1988bfd83c692037cea2e9a2353294c63cdb9f
                            • Instruction ID: d45b391591cbc1a1d31b2ae5957cb517ed1bcb7ff197f5f2f8e2f5e2ad817b4b
                            • Opcode Fuzzy Hash: 4b80d4bdc99d9010955dfa8edb1988bfd83c692037cea2e9a2353294c63cdb9f
                            • Instruction Fuzzy Hash: 51B238F360C3049FE3047E6DEC8567ABBE9EB94320F164A3DEAC4C3744EA7558058696
                            Function 00F43EAF Relevance: 7.3, Strings: 5, Instructions: 1056COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: oo$<n!$C-h}$kh7$dso
                            • API String ID: 0-3380960814
                            • Opcode ID: 54974fa0b1752161c1b00c5d2ef3781637d58bb10bb287118d05dc96d42061e8
                            • Instruction ID: 17c03237748a791c773e85b2cfee25ff2452641e0a08354dd9257201ca039bd5
                            • Opcode Fuzzy Hash: 54974fa0b1752161c1b00c5d2ef3781637d58bb10bb287118d05dc96d42061e8
                            • Instruction Fuzzy Hash: FB72E7F390C200AFE3046E29DC8167AFBE5EF94320F1A492DEAC4D3744E67598418797
                            Function 00F46D84 Relevance: 6.6, Strings: 4, Instructions: 1610COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;+/$@xo$d>{$Qf
                            • API String ID: 0-2564287407
                            • Opcode ID: 88c40c8ae712b70bcea240f8730d0d42ff8661b8172d1dd85061be6988bfdb1e
                            • Instruction ID: 6d03769dbd8496baddab7c1c83d3e8980052f456c910c360d1729ece464d667d
                            • Opcode Fuzzy Hash: 88c40c8ae712b70bcea240f8730d0d42ff8661b8172d1dd85061be6988bfdb1e
                            • Instruction Fuzzy Hash: 22B227F360C2049FE704AE29EC8567AFBE5EF94720F1A893DE6C5C7744EA3558048786
                            Function 00D8E35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: Lk$U\$Zb$occupy-blushi.sbs$r
                            • API String ID: 0-2705259042
                            • Opcode ID: 3919736173020b5dcfa943010d81b69e698f99a6da44e9250132eeea7d598259
                            • Instruction ID: 9b6f2d8b02cb9bf997fe573416679d1563cc5e71f1b27e889f69bec6a19edab9
                            • Opcode Fuzzy Hash: 3919736173020b5dcfa943010d81b69e698f99a6da44e9250132eeea7d598259
                            • Instruction Fuzzy Hash: FEA1BDB010C3D18AD7759F25C4947EFBBE1AB93308F188A9CD0E94B286DB3945058F67
                            Function 00D89210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: )=+4$57$7514$84*6$N
                            • API String ID: 0-4020838272
                            • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                            • Instruction ID: 7cfbada7876dabc6c3245224f3bfd1b944b68db41b5e544f5dcdb3d216532ffd
                            • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                            • Instruction Fuzzy Hash: F771D16110C3C68BD315DB2984B037BFFE1AFA2305F1C49ADE4D64B282D779890AC766
                            Function 00DA0870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: +2/?$=79$BBSH$GZE^
                            • API String ID: 0-3392023846
                            • Opcode ID: 62ae5dadedbd622b5106f6b9c92cf8e5cdf7e13d7d08e806581838e5aff22fc7
                            • Instruction ID: 0665895f8c8968fefafd6bcab7b58f811de447c34be94850b942f21d55d556e7
                            • Opcode Fuzzy Hash: 62ae5dadedbd622b5106f6b9c92cf8e5cdf7e13d7d08e806581838e5aff22fc7
                            • Instruction Fuzzy Hash: 4C52DE75504B818FC735CF29C890766BBE2BF56314F188A6DD4E68BB92C735E806CB60
                            Function 00D8B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: H{D}$TgXy$_o]a$=>?
                            • API String ID: 0-2004217480
                            • Opcode ID: 53aebeccdac38b326b50601ef04da8b303f18917a023f981206a328a9398c7d7
                            • Instruction ID: 3fe9c7562eebdc8428e6fa9926a8d519068f8e6400d3262da0c4cc2b661efbdd
                            • Opcode Fuzzy Hash: 53aebeccdac38b326b50601ef04da8b303f18917a023f981206a328a9398c7d7
                            • Instruction Fuzzy Hash: 481213B1110B02CFD3248F26D895B97BBF5FB45324F148A2DD5AB8BBA0DB74A445CB90
                            Function 00DA7E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: =:;8$=:;8$a{$kp
                            • API String ID: 0-2717198472
                            • Opcode ID: fdf6947924c01430cb7f10552fd4951ca65a55d601b4de04091e8697942d1408
                            • Instruction ID: 1a729b52182e364564227f7d092efced71186a883867685d8aefdaf682d3828a
                            • Opcode Fuzzy Hash: fdf6947924c01430cb7f10552fd4951ca65a55d601b4de04091e8697942d1408
                            • Instruction Fuzzy Hash: F1E1C1B5518342DFE320DF64D981B6BBBE2FBC5304F14892CE9858B391EB749805DB62
                            Function 00D8AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: @A$lPLN$svfZ$IK
                            • API String ID: 0-1806543684
                            • Opcode ID: 7ca72d58470c24be10c90abbe57312830612a7cb1fd852aa2be888e8b5661f6d
                            • Instruction ID: 182d904b0ad445e49e29d5661fbb94102c95c096e54dff08791fe58fab54ee5d
                            • Opcode Fuzzy Hash: 7ca72d58470c24be10c90abbe57312830612a7cb1fd852aa2be888e8b5661f6d
                            • Instruction Fuzzy Hash: 6AC1287164C3848FD3249E6484A536FBBE2EBC2710F1CC92DE4E54B395D7758C098BA2
                            Function 00D84040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: )$)$IEND
                            • API String ID: 0-588110143
                            • Opcode ID: dac68ee451c505106002d203ec2dfdd8cd9729eaaa1ddbfbf59d75baee92e650
                            • Instruction ID: 274b4421f665f3edee7b88a72b824c67c2ec1be23be23b38c052a599832fbc07
                            • Opcode Fuzzy Hash: dac68ee451c505106002d203ec2dfdd8cd9729eaaa1ddbfbf59d75baee92e650
                            • Instruction Fuzzy Hash: 4CF1FFB1A087029FE314EF28D85572ABBE0FF94314F08462DF99597392D774E914CBA2
                            Function 00F4BE7D Relevance: 4.1, Strings: 2, Instructions: 1604COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: /.q_$xPie
                            • API String ID: 0-2682987067
                            • Opcode ID: fd73cbae856d0e1fe3fa6f980ca2c887978e5eecf3d2bdc4ea46f10fb73417f3
                            • Instruction ID: 795b0da4b50378b6abf6ac7b7398b5959fdcba2ea523379f1623ba2bb91d11ac
                            • Opcode Fuzzy Hash: fd73cbae856d0e1fe3fa6f980ca2c887978e5eecf3d2bdc4ea46f10fb73417f3
                            • Instruction Fuzzy Hash: DAB2E3F3A082049FE3046E2DDC8577ABBE9EF94320F1A493DEAC4C7744EA7558018796
                            Function 00DA5E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: @J$KP$VD
                            • API String ID: 0-3841663987
                            • Opcode ID: 820a8a1e8df2e5943942359c58d091cd5b41e447495e74dbffff87966cea6c82
                            • Instruction ID: 91494676e96290d70f715c91e211bd600883283ca8269d3dd4b74f571d4cb2ea
                            • Opcode Fuzzy Hash: 820a8a1e8df2e5943942359c58d091cd5b41e447495e74dbffff87966cea6c82
                            • Instruction Fuzzy Hash: 85916875704B02AFD720CF64DC81BABBBB1FB86310F14452CE5959B781D374A816CBA2
                            Function 00D8C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: PQ$A_$IG
                            • API String ID: 0-2179527320
                            • Opcode ID: 96a8190ccb23c09f41ba0836a746714a71c64bd79ce6a575859748fd6612428d
                            • Instruction ID: e70f0974e2dbbde4b299eb92123f8f7ac682c0e9bc014b6dcefa2307072ec943
                            • Opcode Fuzzy Hash: 96a8190ccb23c09f41ba0836a746714a71c64bd79ce6a575859748fd6612428d
                            • Instruction Fuzzy Hash: 54419E7001C342CAC704DF21D892A6BB7F1FF96758F28AA0DF0C29B695D7348546CB6A
                            Function 00DBF8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: cC$jC
                            • API String ID: 0-2055910567
                            • Opcode ID: 593a8189d2a7bf5941b702004036b6784878e9141d17051988cad81286e3d587
                            • Instruction ID: 41152e7bd9dbf4a4c8d4cfa44815e83d157d6778a9f45d16586220b17ea87b0e
                            • Opcode Fuzzy Hash: 593a8189d2a7bf5941b702004036b6784878e9141d17051988cad81286e3d587
                            • Instruction Fuzzy Hash: 4D42CE36E04216CFCB18CF68D8916AEB7F2FB89314F1A857DC956A7391D6349901CB90
                            Function 00DBC040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: f$
                            • API String ID: 2994545307-508322865
                            • Opcode ID: 9b961e72a1a6a01bde5ac5fe518db312b21b3158c9a32866237a12dc7ada012d
                            • Instruction ID: 4445febc4dca3e3b93f94c618e488923e36ae79ed569edb1fb8ac893cb9a40a1
                            • Opcode Fuzzy Hash: 9b961e72a1a6a01bde5ac5fe518db312b21b3158c9a32866237a12dc7ada012d
                            • Instruction Fuzzy Hash: 2312C470618341DFD714CF29C890A6BBBE2FBC5314F189A2CE596873A2D731D842CB62
                            Function 00DB24E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                            Download Yara Rule
                            Strings
                            • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00DB2591
                            • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00DB25D2
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                            • API String ID: 0-2492670020
                            • Opcode ID: 53ec987fbb83d0136e2d92b4d64f3061e8699298350ed7e0b875d9bab80e6946
                            • Instruction ID: 7f14981c676ca62666a9fe1b810fe9654aacb5c642b0b8635410461426bbfd87
                            • Opcode Fuzzy Hash: 53ec987fbb83d0136e2d92b4d64f3061e8699298350ed7e0b875d9bab80e6946
                            • Instruction Fuzzy Hash: 3D81F833A196928BCB158A3C8C512FA7B925F97330B2D83A9D4B39B3D5D525C9058371
                            Function 00D85AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$8
                            • API String ID: 0-46163386
                            • Opcode ID: 88aaa32bf314682b502958fc8c645de15d5ae871cb6c6c33ad6711b6995114a5
                            • Instruction ID: ba9c017091eefd34f8577006ae025607b772d197144239a22980097f650effe9
                            • Opcode Fuzzy Hash: 88aaa32bf314682b502958fc8c645de15d5ae871cb6c6c33ad6711b6995114a5
                            • Instruction Fuzzy Hash: 25A11135608781DFD320CF28E840B9EBBE1AB99304F18895CE9C897362C775E954CF62
                            Function 00D8542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$8
                            • API String ID: 0-46163386
                            • Opcode ID: 1c77b8a9e4738c0f37a9ed9ccfedef1e95264156b07ba660ff80ec4819c383e6
                            • Instruction ID: 71e3dc9f7ba4bdd5e07edc21ab89178ac2cd35a27c8f7cd36ef68354843ca74d
                            • Opcode Fuzzy Hash: 1c77b8a9e4738c0f37a9ed9ccfedef1e95264156b07ba660ff80ec4819c383e6
                            • Instruction Fuzzy Hash: A0A11235608781DFD320CF28E840B9EBBE1AB99304F18895CE9C897362D775E955CF62
                            Function 00E43D67 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: O3j$p:{
                            • API String ID: 0-3371031279
                            • Opcode ID: 493618423042660faab95fa8804e9914e4d2d73d30459e47be2f4a3e5cf7e984
                            • Instruction ID: 0e47dc95fdeef4ef18933ada5b0ffdb7a00ed29006a725d3466fd4d4db92abbd
                            • Opcode Fuzzy Hash: 493618423042660faab95fa8804e9914e4d2d73d30459e47be2f4a3e5cf7e984
                            • Instruction Fuzzy Hash: DA41D1B3A082049FE304BE69DC8677AFBE5EF84310F26493DDAC597740EA7958408787
                            Function 00D8E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: efg`$efg`
                            • API String ID: 0-3010568471
                            • Opcode ID: b1e66d491d06815fbf091df99296d2a7ffa7f81f81a1dd4171461894c77fc11b
                            • Instruction ID: 3cd1eaaf46683db9880edb2c7604b9aaa5d2240dcb2ed6a647e951323c6b70d5
                            • Opcode Fuzzy Hash: b1e66d491d06815fbf091df99296d2a7ffa7f81f81a1dd4171461894c77fc11b
                            • Instruction Fuzzy Hash: 9031E532A083618BC328EF50D99166FB392BFE4300F5A442CD9C667251CE309D06CBF6
                            Function 00DA8CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: st@
                            • API String ID: 0-3741395493
                            • Opcode ID: ece326422148b0d77ef5bcee9f4ff6c9d5e9f4d4de44b395fb27e1b725fca611
                            • Instruction ID: d1429f9363c40bae2a862c2840a39ec76bcd7f2026afd83c4e8de823b8d8c856
                            • Opcode Fuzzy Hash: ece326422148b0d77ef5bcee9f4ff6c9d5e9f4d4de44b395fb27e1b725fca611
                            • Instruction Fuzzy Hash: 90F126B150C382CFD7049F24C89176BBBE2AF96304F18886DE5D587382D775D909CBA6
                            Function 00DA8770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: =:;8
                            • API String ID: 2994545307-508151936
                            • Opcode ID: e6a6c25c7b8f26db23315b31c0720d4551adaca22d5cfb8b296062f6e5b62f20
                            • Instruction ID: 315caffd6447425203ac7a0ffc6a8454cd1a07b84fa6b57a723430527b874a11
                            • Opcode Fuzzy Hash: e6a6c25c7b8f26db23315b31c0720d4551adaca22d5cfb8b296062f6e5b62f20
                            • Instruction Fuzzy Hash: 79D129B2A483118BD714CA28CC9267BB792EBC6314F1D857DDCC64B391EE749C06A7B1
                            Function 00D99530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: efg`
                            • API String ID: 0-115929991
                            • Opcode ID: 575721fc80d7242eab49c1c68920ad3ba9a1a5d7f8c17159c15bee865d7dd858
                            • Instruction ID: 90dc1d4a53d84d95bc95808715a73c5b1c5042edcf5c685ff8e3c4ddd993ddae
                            • Opcode Fuzzy Hash: 575721fc80d7242eab49c1c68920ad3ba9a1a5d7f8c17159c15bee865d7dd858
                            • Instruction Fuzzy Hash: CBC10471904216DBCF289F58DC62ABBB3B4FF46320F19416CE942A7391E734A901C7B1
                            Function 00ED74BA Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: G
                            • API String ID: 0-985283518
                            • Opcode ID: 4a3e28d1cbc2fd2dcf840ff22974d0e941a2b553e5720290f8e3e33cae55056d
                            • Instruction ID: 7913ca8f2c3236388acbbd711519b50371ddbb98fdbdcafcffc1b727426dc3af
                            • Opcode Fuzzy Hash: 4a3e28d1cbc2fd2dcf840ff22974d0e941a2b553e5720290f8e3e33cae55056d
                            • Instruction Fuzzy Hash: F6A19EB3F2162547F3844938CD583A26583DBD5325F3F82388A599B7C9DC7E9D0A5384
                            Function 00DC0F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: _^]\
                            • API String ID: 2994545307-3116432788
                            • Opcode ID: f49d36dea6e5ee6658ac970a30311a0cc74cb614091c43b7c1d676e161f22d22
                            • Instruction ID: 2d52ec0359d5ce5cb910d6124bf86be1e12ed03a98f7d297bdaa97c4f312ddf2
                            • Opcode Fuzzy Hash: f49d36dea6e5ee6658ac970a30311a0cc74cb614091c43b7c1d676e161f22d22
                            • Instruction Fuzzy Hash: E981D1782083528FC715DF18D491E2AB7E2FF9A750F09856CE9818B366D731EC51CBA2
                            Function 00D861A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: ,
                            • API String ID: 0-3772416878
                            • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                            • Instruction ID: e294c85ddf328bf07c11140dfa66fcf1e392a24d4b612c598c3d9433466783af
                            • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                            • Instruction Fuzzy Hash: E3B138711083819FD325DF58C89061BFBE0AFA9704F484A6DE5D99B382D631E918CBA6
                            Function 00DBBCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: 5|iL
                            • API String ID: 2994545307-1880071150
                            • Opcode ID: 7443923bb8e037e2ff95594b55a1a11e80054e7c705250ce25848933e2755588
                            • Instruction ID: 880e7acf4d0c778f2a4b33b9c19c8de93a2c4007b17f02e1278b163400206f7c
                            • Opcode Fuzzy Hash: 7443923bb8e037e2ff95594b55a1a11e80054e7c705250ce25848933e2755588
                            • Instruction Fuzzy Hash: A571D732A04711CFC7149E2C8C806A6B7A6EFC9334F19866DE99697365D3B1DC028BE1
                            Function 00D8E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: efg`
                            • API String ID: 2994545307-115929991
                            • Opcode ID: 5a758606c979b35ec6caee5caf516d59aa178b6a32c5f9520f632995cf6ad631
                            • Instruction ID: 5e33f79d40e0ef24e5405f9a1019f51ab9111009ee38efdd8639aeae6dfe504c
                            • Opcode Fuzzy Hash: 5a758606c979b35ec6caee5caf516d59aa178b6a32c5f9520f632995cf6ad631
                            • Instruction Fuzzy Hash: F8512872A043515BD721FB609C82BAF7393EFD1714F194428E98957242DF30AA0687F7
                            Function 00D8EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: D
                            • API String ID: 0-2746444292
                            • Opcode ID: f1783869fcebd5909d23cf587711a2fab05a4510687552cf8037f4291d97716f
                            • Instruction ID: 5be640a20a697fe5b4d4a400e3601a285a0db8e5d75f9ce28d7f9e1ec599a895
                            • Opcode Fuzzy Hash: f1783869fcebd5909d23cf587711a2fab05a4510687552cf8037f4291d97716f
                            • Instruction Fuzzy Hash: B85120B05493818AE7208F16C86179BBBF1FF91B44F20980CE6D95B394D7B59809CF97
                            Function 00D877D0 Relevance: .8, Instructions: 758COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                            • Instruction ID: 95ad0f41bab4ea9379763bb114c0107dbc81f43f0d6b8c61d6f2e6150a3e1b7e
                            • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                            • Instruction Fuzzy Hash: 5842C33160C3118BC725EF28E8806AAB3E2FFD4314F39892DD99687385D735E955CB62
                            Function 00D86CC0 Relevance: .7, Instructions: 670COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 848e0f9fc01da1b608830fcff7ff0de9015bff6d46c873256d3991ed48274eb4
                            • Instruction ID: f3aef031f51a5fbc370e94a456b25ba99bca3c8acd6ab9600f7de01d05f1236d
                            • Opcode Fuzzy Hash: 848e0f9fc01da1b608830fcff7ff0de9015bff6d46c873256d3991ed48274eb4
                            • Instruction Fuzzy Hash: AA52D97090CB848FEB35EB24C4847A7BBE1EB51314F28496DD5EB06B82D379E885C761
                            Function 00D84AC0 Relevance: .7, Instructions: 665COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15aa49e834258c6febc77d1c71185f585c96457a6f473d8cb5c6d075700c62cc
                            • Instruction ID: 924a9d8dbcdb664665102dcc5626c7d311176d818944c597f83e0f1c2a334c5f
                            • Opcode Fuzzy Hash: 15aa49e834258c6febc77d1c71185f585c96457a6f473d8cb5c6d075700c62cc
                            • Instruction Fuzzy Hash: A0425634608342DFD704CF28E854B5ABBE1BF88355F09896CE8898B391D775E984CF62
                            Function 00D82B80 Relevance: .7, Instructions: 657COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: babb53c8bc7eba068e38f463984e3c8a2481317b7c63581c63ea99fefd9cf557
                            • Instruction ID: 37311e1eb06b5cec58d8666e6d8a0aab20215c2a5694ed89a812424333cb36ea
                            • Opcode Fuzzy Hash: babb53c8bc7eba068e38f463984e3c8a2481317b7c63581c63ea99fefd9cf557
                            • Instruction Fuzzy Hash: 0A52E0315083458FCB15DF19C0806BABBE1BF88714F198A6DF8D95B341D778E989CBA1
                            Function 00D83580 Relevance: .6, Instructions: 631COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61cd9e8c9c9aea3c0007088ba87cdae68c16a3ed21796dae658124ce700620f7
                            • Instruction ID: db07713077568529996f8e46b57052c5f814259f5bd1355b9341d396c9ea4840
                            • Opcode Fuzzy Hash: 61cd9e8c9c9aea3c0007088ba87cdae68c16a3ed21796dae658124ce700620f7
                            • Instruction Fuzzy Hash: C44225B1514B108FC328DF29C59052ABBF2BF85B10B644A2ED69B87F90D776F945CB20
                            Function 00D85C90 Relevance: .4, Instructions: 417COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                            • Instruction ID: 9f85601a58426fd0cecc98231bbd65e9a2d6d1e874218637471497b6fdc17d60
                            • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                            • Instruction Fuzzy Hash: 57F19B712087418FC724DF29C881A6BFBE2FF94310F44492DE5D687792E635E948CBA6
                            Function 00D86840 Relevance: .3, Instructions: 320COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                            • Instruction ID: 0d7b2d90839e492c149732c083d0a978e95c555ab9ad064f8d320e526847782a
                            • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                            • Instruction Fuzzy Hash: B3C18DB2A083418FC364CF68C896B9BB7E1BF84328F08492DD5DAC7341E678E545CB56
                            Function 00DB87B0 Relevance: .3, Instructions: 303COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                            • Instruction ID: c095032f45fb6f39cbec2ab239a57e8aefc2cd293fa5e401ae67bed5d3f6a5f2
                            • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                            • Instruction Fuzzy Hash: 44B11972D087D18FDB11CA7CC8803997FA26B97220F1DC295D5A5AB3DAC6358806D7B2
                            Function 00DC1580 Relevance: .3, Instructions: 293COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 1fa7422eb8ef968401b2ef18758d4fd67af44489a7b63472e58383c8411c0c86
                            • Instruction ID: 81c6592c319c33745f2bc3e224ab8ab29c65a527532575f2cd33791332027322
                            • Opcode Fuzzy Hash: 1fa7422eb8ef968401b2ef18758d4fd67af44489a7b63472e58383c8411c0c86
                            • Instruction Fuzzy Hash: 5281007561C3129FD714DE68D850B2BB7E2EF8A310F08893CE986D7292E674DC4587A2
                            Function 00DBC780 Relevance: .3, Instructions: 283COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                            • Instruction ID: f43def32f516977adc0fe52f30c31878ce75c34f96bc3501aa1c9317fa824504
                            • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                            • Instruction Fuzzy Hash: 72A1FF7560C3958FC325CF29C49066ABBE2BF96310F1D866DE4E68B392D634DC01CB62
                            Function 00D9FB60 Relevance: .3, Instructions: 281COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1ad838a38d8ec4b72626220a3d2bc6f64250c24f35f4a1373bfdc78b4202726
                            • Instruction ID: 899a1f596bfe5e9274690eb6d00b1f8b24f33078014fe56a006806c2dc7c9343
                            • Opcode Fuzzy Hash: c1ad838a38d8ec4b72626220a3d2bc6f64250c24f35f4a1373bfdc78b4202726
                            • Instruction Fuzzy Hash: 14912A32A042614FCB26CF28C85176ABAD1AB95324F1DC27DE8A9DB392D674CC46C3D1
                            Function 00DC0C80 Relevance: .3, Instructions: 269COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 813f7ed7c6197f2181dbad9592c0afc2f021385f73a2420f90ee992885d00841
                            • Instruction ID: 618478424d3a9a1d6a5abd9427244945583deac477f5991fa8ef8dc58d788445
                            • Opcode Fuzzy Hash: 813f7ed7c6197f2181dbad9592c0afc2f021385f73a2420f90ee992885d00841
                            • Instruction Fuzzy Hash: 7F710435508342DBC7149B28D850B2FBBE6FFD8720F19C96CE9868B265E7709C51C762
                            Function 00DB41D0 Relevance: .2, Instructions: 244COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e5536365c51d4ddeb77121387246e033ba7105f9517c3428ae0d2ed4880dfdf7
                            • Instruction ID: 768495be7f2cbc40bbaf51a122286d0abc40b49bbd65249483d71f4391429f2a
                            • Opcode Fuzzy Hash: e5536365c51d4ddeb77121387246e033ba7105f9517c3428ae0d2ed4880dfdf7
                            • Instruction Fuzzy Hash: 26713933B595A187CB18C97C4C122E9AA875BD633472EC37AADB7DB3D2C5698D0143A0
                            Function 00DBB8E0 Relevance: .2, Instructions: 217COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f5cd0384d3148991a918cb1b2958d64a6200e2219b8674a327acd02b02e84f1e
                            • Instruction ID: 717e77586f6b2f9add1119df257d3c452abf0edd65549f48531e305129fbb58a
                            • Opcode Fuzzy Hash: f5cd0384d3148991a918cb1b2958d64a6200e2219b8674a327acd02b02e84f1e
                            • Instruction Fuzzy Hash: 07512A35E08311CFD7209F2998416ABB7A2EBD5730F29863DD9D667351E3B1DC028BA1
                            Function 00FBB691 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47a82b7c06fc3127c24b2c8314898a673911af2137223f279672f8cbc7fcd218
                            • Instruction ID: 47e39eb931cbba443fe9188fdc98ff74b018a25fe3a09e635494e014dd2186d5
                            • Opcode Fuzzy Hash: 47a82b7c06fc3127c24b2c8314898a673911af2137223f279672f8cbc7fcd218
                            • Instruction Fuzzy Hash: 316102F250C6049FE7097E18DC957BEBBE5EF94310F16092DE2C282740EA759854DB87
                            Function 00E13600 Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e7a235d00be51559b22ccb6f4076e7fa748254f465b426228a42e3ed3c9eee2
                            • Instruction ID: 6eb53ef46ef6bbfc688689dca25efc1086ded16d1c9f2ae72e04d40a987a3ce0
                            • Opcode Fuzzy Hash: 3e7a235d00be51559b22ccb6f4076e7fa748254f465b426228a42e3ed3c9eee2
                            • Instruction Fuzzy Hash: 915139B3A082149FD3406E1DEC0576AF7E9DF94760F1A453EEAC4C3740E97A984587C6
                            Function 00DA0650 Relevance: .2, Instructions: 194COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58f299436e662b78d8baa8a7ba8e6a4b5cdfe2141a9b256135044a4c2ceae0d3
                            • Instruction ID: 560dd0e2086e55571e1e41c4b479a2a095fce14cd0bddd8ad61ff949d6db3df2
                            • Opcode Fuzzy Hash: 58f299436e662b78d8baa8a7ba8e6a4b5cdfe2141a9b256135044a4c2ceae0d3
                            • Instruction Fuzzy Hash: BF513637A1A6D14BC7248A7C4C112A95E570BE7334B3E836AD8F58B3D1C53ADC0283B1
                            Function 00DA1790 Relevance: .2, Instructions: 165COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72622509a584c9a6b290be46ed8d89c7bfb7191a8a62ce49919b6e5f846a3ec5
                            • Instruction ID: e26e56b417c7dbd575264398bee63cc9d0f5150ef7a9bda6e48c90c50b1c27b7
                            • Opcode Fuzzy Hash: 72622509a584c9a6b290be46ed8d89c7bfb7191a8a62ce49919b6e5f846a3ec5
                            • Instruction Fuzzy Hash: 66410A75A09346AFD3509F68AC42A6B7BE8EF8A314F04887DF585C3391D674D805C772
                            Function 00DB27B0 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a065f5986ff24dd3c937f1ca7e5ac15a367888669361087686b0d5dbdb7466d5
                            • Instruction ID: 90c615f4b2d8d8f1038ba27ee2d976d67d5d7ce81a96e68f19d7b73221f4cb15
                            • Opcode Fuzzy Hash: a065f5986ff24dd3c937f1ca7e5ac15a367888669361087686b0d5dbdb7466d5
                            • Instruction Fuzzy Hash: F3814EB450A3868FC375CF05D988F9BBBE1BB99304F54491E98898B350CFB01445EFA6
                            Function 01041EA6 Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e27c7fb029da707b2f666f53aeb2865aec0b44e5c0b4747994c0032ebffd4beb
                            • Instruction ID: daddc8a67e8dac5bb7fd9f5b1941368f5b0f6c73a24b02ad7b6834826454c5e9
                            • Opcode Fuzzy Hash: e27c7fb029da707b2f666f53aeb2865aec0b44e5c0b4747994c0032ebffd4beb
                            • Instruction Fuzzy Hash: DC11D5F6A1C100AFE709A915DC91A7FB6EAFBA8310F15853DE1C786744E73168928252
                            Function 00D827D0 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52f04721f88b5b628f384212fe1af48bc0af2e9492527dc1b4c6f37ea622f2f0
                            • Instruction ID: 8b42d5cbbdb27f93fe79d2e3c94fd09112ca395556d13dac6a184770d3f8e271
                            • Opcode Fuzzy Hash: 52f04721f88b5b628f384212fe1af48bc0af2e9492527dc1b4c6f37ea622f2f0
                            • Instruction Fuzzy Hash: F6118237B2576347E750DE6ADCD4A3667A2EF8931071E0524EE81D7352C662E811D3A0
                            Function 00D8BC9D Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8a171f538b85514ad4036740e673aab1edfdf3f440ce79911e55db2288ac855
                            • Instruction ID: 51923298d24e4bc744849f4d7fa395a8757a54158d9877fa734242eb24b3b6e5
                            • Opcode Fuzzy Hash: a8a171f538b85514ad4036740e673aab1edfdf3f440ce79911e55db2288ac855
                            • Instruction Fuzzy Hash: ADF027706083824BD3188B34E891A3FB7B0EB83624F10141DE3C3D3292DB21D8028B19
                            Function 00DBB860 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1350390916.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                            • Associated: 00000000.00000002.1350372983.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350390916.0000000000DC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350438428.0000000000DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000DD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.0000000001065000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350453781.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350702027.000000000107E000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350812640.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1350827548.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71d1e45fa884519d727e4cec42cc920d1dbba28b530aa52c87c08f833ed91544
                            • Instruction ID: d13d91a3e3288cdfa696d3dfe44ad3e778d5eb9b1d43ab95649d68394d6e4b1b
                            • Opcode Fuzzy Hash: 71d1e45fa884519d727e4cec42cc920d1dbba28b530aa52c87c08f833ed91544
                            • Instruction Fuzzy Hash: E1B09250A04209BF10249D0A8C59D7BF6BE96CB650B106008A409A33148650EC0482F9