Edit tour

Windows Analysis Report
lJEIftsml0.exe

Overview

General Information

Sample name:	lJEIftsml0.exe renamed because original name is a hash value
Original sample name:	2a477b9b4af409aba2a01fff919b7fd5.exe
Analysis ID:	1580930
MD5:	2a477b9b4af409aba2a01fff919b7fd5
SHA1:	ed3ec90b765629794ac133286fb87e608630fa96
SHA256:	6b0fb3a9b583ec2f3dbbfb1e942834aa1d2028342e4bf38df84ab4549430f612
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

lJEIftsml0.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\lJEIftsml0.exe" MD5: 2A477B9B4AF409ABA2A01FFF919B7FD5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["curverpluch.lat", "shapestickyr.lat", "wordyfindy.lat", "tentabatte.lat", "slipperyloo.lat", "talkynicer.lat", "manyrestro.lat", "bashfulacid.lat", "observerfry.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:31.335011+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:29.566429+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.5	59629	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:29.285564+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.5	62457	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:28.791178+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.5	57350	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:28.993282+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.5	65250	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:28.562364+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.5	52461	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:29.140851+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.5	51489	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:29.424550+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.5	57213	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:28.418160+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.5	54762	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:17:32.205428+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lJEIftsml0.exe

Avira: detected

Found malware configuration

Source: lJEIftsml0.exe.6544.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["curverpluch.lat", "shapestickyr.lat", "wordyfindy.lat", "tentabatte.lat", "slipperyloo.lat", "talkynicer.lat", "manyrestro.lat", "bashfulacid.lat", "observerfry.lat"], "Build id": "PsFKDg--pablo"}

Multi AV Scanner detection for submitted file

Source: lJEIftsml0.exe	ReversingLabs: Detection: 65%
Source: lJEIftsml0.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lJEIftsml0.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2067869331.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: PsFKDg--pablo

Source: lJEIftsml0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edx, ebx	0_2_007A8600
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_007E1720
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	0_2_007A8A50
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CC0E6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CE0DA
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov esi, ecx	0_2_007C90D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CC09E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007CD17D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_007CB170
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	0_2_007E1160
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CC09E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007CD116
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_007C81CC
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_007D6210
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CD34A
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_007E0340
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007BC300
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_007C83D8
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_007A73D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_007A73D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_007B747D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov word ptr [edx], di	0_2_007B747D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	0_2_007CC465
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CC465
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov eax, ebx	0_2_007C7440
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	0_2_007C7440
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	0_2_007BB57D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_007C8528
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edi, ecx	0_2_007CA5B6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_007E06F0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_007C7740
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then jmp eax	0_2_007C9739
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_007CC850
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	0_2_007DC830
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then push esi	0_2_007AC805
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edx, ecx	0_2_007BB8F6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edx, ecx	0_2_007BB8F6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007BD8D8
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007BD8D8
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007BD8AC
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007BD8AC
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov eax, ebx	0_2_007BC8A0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	0_2_007BC8A0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	0_2_007BC8A0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	0_2_007BC8A0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_007C89E9
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_007DC990
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_007CB980
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	0_2_007DCA40
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then dec edx	0_2_007DFA20
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_007C1A10
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_007CAAC0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	0_2_007AAB40
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then dec edx	0_2_007DFB10
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	0_2_007BEB80
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	0_2_007ACC7A
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_007B4CA0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then dec edx	0_2_007DFD70
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edx, ecx	0_2_007C6D2E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	0_2_007E0D20
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CDDFF
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_007DCDF0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	0_2_007DCDF0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_007DCDF0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	0_2_007DCDF0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	0_2_007DEDC1
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_007CDE07
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then dec edx	0_2_007DFE00
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	0_2_007A2EB0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov edx, ecx	0_2_007C9E80
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_007B6F52
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 4x nop then mov ecx, eax	0_2_007CBF13

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.5:62457 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.5:51489 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.5:57350 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.5:54762 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.5:65250 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.5:52461 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.5:59629 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.5:57213 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: observerfry.lat

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7bcd6a44c1d25d97184cbe63; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 26 Dec 2024 12:17:31 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001222000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.0000000001222000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121091389.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: lJEIftsml0.exe, 00000000.00000003.2111410301.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: lJEIftsml0.exe	Static PE information: section name:
Source: lJEIftsml0.exe	Static PE information: section name: .idata
Source: lJEIftsml0.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AB100	0_2_007AB100
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A8600	0_2_007A8600
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AD021	0_2_007AD021
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BD003	0_2_007BD003
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B60E9	0_2_007B60E9
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CC0E6	0_2_007CC0E6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CA0CA	0_2_007CA0CA
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CC09E	0_2_007CC09E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A6160	0_2_007A6160
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CC09E	0_2_007CC09E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C81CC	0_2_007C81CC
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C91AE	0_2_007C91AE
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0084D16B	0_2_0084D16B
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DF18B	0_2_007DF18B
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CE180	0_2_007CE180
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A4270	0_2_007A4270
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BE220	0_2_007BE220
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B1227	0_2_007B1227
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0095A235	0_2_0095A235
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C42D0	0_2_007C42D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D9280	0_2_007D9280
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CF377	0_2_007CF377
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CD34A	0_2_007CD34A
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C1340	0_2_007C1340
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A9310	0_2_007A9310
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C83D8	0_2_007C83D8
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A73D0	0_2_007A73D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AF3C0	0_2_007AF3C0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B747D	0_2_007B747D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007E0460	0_2_007E0460
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C7440	0_2_007C7440
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DA440	0_2_007DA440
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AD4F3	0_2_007AD4F3
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00969403	0_2_00969403
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C24E0	0_2_007C24E0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C04C6	0_2_007C04C6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C4560	0_2_007C4560
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CC53C	0_2_007CC53C
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A65F0	0_2_007A65F0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DA5D4	0_2_007DA5D4
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DC5A0	0_2_007DC5A0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0095357E	0_2_0095357E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D8650	0_2_007D8650
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BE630	0_2_007BE630
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B961B	0_2_007B961B
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AF60D	0_2_007AF60D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007E06F0	0_2_007E06F0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C46D0	0_2_007C46D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F8778	0_2_007F8778
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B2750	0_2_007B2750
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C7740	0_2_007C7740
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C9739	0_2_007C9739
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B57C0	0_2_007B57C0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F87A1	0_2_007F87A1
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0092676A	0_2_0092676A
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AC840	0_2_007AC840
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AD83C	0_2_007AD83C
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_008128FA	0_2_008128FA
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BB8F6	0_2_007BB8F6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D38D0	0_2_007D38D0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A38C0	0_2_007A38C0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D88B0	0_2_007D88B0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BC8A0	0_2_007BC8A0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BE960	0_2_007BE960
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C6910	0_2_007C6910
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A5900	0_2_007A5900
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CC9EB	0_2_007CC9EB
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007E09E0	0_2_007E09E0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DDA4D	0_2_007DDA4D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D5A4F	0_2_007D5A4F
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DCA40	0_2_007DCA40
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00845AC3	0_2_00845AC3
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DFA20	0_2_007DFA20
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B9AD0	0_2_007B9AD0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00962A3B	0_2_00962A3B
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C8ABC	0_2_007C8ABC
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D9A80	0_2_007D9A80
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007AAB40	0_2_007AAB40
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DFB10	0_2_007DFB10
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A4BA0	0_2_007A4BA0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BEB80	0_2_007BEB80
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D3C10	0_2_007D3C10
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D1CF0	0_2_007D1CF0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B4CA0	0_2_007B4CA0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DFD70	0_2_007DFD70
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CCD5E	0_2_007CCD5E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CCD4C	0_2_007CCD4C
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D9D30	0_2_007D9D30
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B1D2B	0_2_007B1D2B
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C6D2E	0_2_007C6D2E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007E0D20	0_2_007E0D20
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C1D00	0_2_007C1D00
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DCDF0	0_2_007DCDF0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A5DC0	0_2_007A5DC0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D7DA9	0_2_007D7DA9
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0095BD67	0_2_0095BD67
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CFE74	0_2_007CFE74
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C0E6C	0_2_007C0E6C
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007CEE63	0_2_007CEE63
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00958EDF	0_2_00958EDF
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007DFE00	0_2_007DFE00
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007C2EF4	0_2_007C2EF4
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007A2EB0	0_2_007A2EB0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BAEB0	0_2_007BAEB0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D8EA0	0_2_007D8EA0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007B6F52	0_2_007B6F52
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007BDF50	0_2_007BDF50
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00960F1E	0_2_00960F1E

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: String function: 007B4C90 appears 77 times
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: String function: 007A7F60 appears 40 times

Source: lJEIftsml0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lJEIftsml0.exe	Static PE information: Section: ZLIB complexity 0.9994574652777778
Source: lJEIftsml0.exe	Static PE information: Section: zeguhbed ZLIB complexity 0.9949323672429762

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/1

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Code function: 0_2_007D2070 CoCreateInstance,

0_2_007D2070

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lJEIftsml0.exe	ReversingLabs: Detection: 65%
Source: lJEIftsml0.exe	Virustotal: Detection: 69%

Source: lJEIftsml0.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\lJEIftsml0.exe

File read: C:\Users\user\Desktop\lJEIftsml0.exe

Jump to behavior

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Section loaded: dpapi.dll	Jump to behavior

Source: lJEIftsml0.exe

Static file information: File size 1830400 > 1048576

Source: lJEIftsml0.exe

Static PE information: Raw size of zeguhbed is bigger than: 0x100000 < 0x194e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Unpacked PE file: 0.2.lJEIftsml0.exe.7a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zeguhbed:EW;ghwwoioc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zeguhbed:EW;ghwwoioc:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: lJEIftsml0.exe

Static PE information: real checksum: 0x1ccb07 should be: 0x1cdf66

Source: lJEIftsml0.exe	Static PE information: section name:
Source: lJEIftsml0.exe	Static PE information: section name: .idata
Source: lJEIftsml0.exe	Static PE information: section name:
Source: lJEIftsml0.exe	Static PE information: section name: zeguhbed
Source: lJEIftsml0.exe	Static PE information: section name: ghwwoioc
Source: lJEIftsml0.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007FA357 push edi; mov dword ptr [esp], edx	0_2_007FA364
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00A170A5 push eax; mov dword ptr [esp], 747C358Ch	0_2_00A170D4
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00A170A5 push 0BBB98B7h; mov dword ptr [esp], edx	0_2_00A1714F
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00A170A5 push esi; mov dword ptr [esp], esp	0_2_00A17169
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0099809C push 4E619563h; mov dword ptr [esp], ebx	0_2_009980CB
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0099809C push 5FD4EEF3h; mov dword ptr [esp], esi	0_2_009980D6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0099809C push edi; mov dword ptr [esp], 75EFDD75h	0_2_009980DA
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9077 push edx; mov dword ptr [esp], eax	0_2_007F934F
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9077 push 5BC3861Bh; mov dword ptr [esp], eax	0_2_007F9362
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9077 push ecx; mov dword ptr [esp], eax	0_2_007F9771
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9077 push ebp; mov dword ptr [esp], esp	0_2_007F9775
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9077 push edi; mov dword ptr [esp], 15E5B720h	0_2_007FA15E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007D7069 push es; retf	0_2_007D7074
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_009A00DC push ebp; ret	0_2_009A00E7
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F8032 push edi; mov dword ptr [esp], esi	0_2_007F803E
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007FD02E push 02AC85BCh; mov dword ptr [esp], esi	0_2_007FE268
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_009D9009 push 179EC980h; mov dword ptr [esp], ebp	0_2_009D901D
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_009D9009 push edi; mov dword ptr [esp], 53EF1D71h	0_2_009D9034
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_009D9009 push 02A48D7Bh; mov dword ptr [esp], ecx	0_2_009D9067
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_009D9009 push esi; mov dword ptr [esp], ebx	0_2_009D907F
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F70D2 push 710FAC7Fh; mov dword ptr [esp], ebp	0_2_007F7685
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00A4306F push eax; mov dword ptr [esp], ebp	0_2_00A430C6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00A4306F push 60BE0BEEh; mov dword ptr [esp], eax	0_2_00A430D6
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F90B0 push ecx; mov dword ptr [esp], eax	0_2_007F9771
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F90B0 push ebp; mov dword ptr [esp], esp	0_2_007F9775
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007FD0A8 push 1217E989h; mov dword ptr [esp], esp	0_2_007FD0B0
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9093 push ecx; mov dword ptr [esp], eax	0_2_007F9771
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F9093 push ebp; mov dword ptr [esp], esp	0_2_007F9775
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_00981192 push 3D2CD536h; mov dword ptr [esp], edi	0_2_009811CB
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_007F7164 push 7F961C7Ah; mov dword ptr [esp], ecx	0_2_007F7640
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Code function: 0_2_0096C1B3 push 2FD60857h; mov dword ptr [esp], ebx	0_2_0096C9E7

Source: lJEIftsml0.exe	Static PE information: section name: entropy: 7.9803248149600154
Source: lJEIftsml0.exe	Static PE information: section name: zeguhbed entropy: 7.954960402364715

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\lJEIftsml0.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9689BA second address: 9689E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60144h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F46A0F6013Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9689E4 second address: 9689E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9689E8 second address: 9689EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9689EE second address: 9689FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F46A06E91AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96AF2D second address: 96AF33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B0AB second address: 96B0C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jbe 00007F46A06E91B8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F46A06E91A6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B0C9 second address: 96B0CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B0CD second address: 96B0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B0DC second address: 96B139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F46A0F60138h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 push ebx 0x00000023 mov dword ptr [ebp+122D338Ah], ecx 0x00000029 pop esi 0x0000002a mov dword ptr [ebp+122D2F73h], ebx 0x00000030 lea ebx, dword ptr [ebp+12445E00h] 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F46A0F60138h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 mov dl, 16h 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 push edi 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B139 second address: 96B15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F46A06E91B4h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jns 00007F46A06E91A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B202 second address: 96B268 instructions: 0x00000000 rdtsc 0x00000002 js 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F46A0F60147h 0x00000012 pop edx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F46A0F60138h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov ch, 7Ch 0x00000030 push 00000000h 0x00000032 jns 00007F46A0F60139h 0x00000038 push 9DC5F8B9h 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F46A0F60138h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B268 second address: 96B2B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 623A07C7h 0x0000000f jnl 00007F46A06E91A8h 0x00000015 push 00000003h 0x00000017 add dword ptr [ebp+122D2E29h], edi 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 jmp 00007F46A06E91B7h 0x00000025 pop edx 0x00000026 push 00000003h 0x00000028 mov dword ptr [ebp+122D20E8h], edx 0x0000002e push BED52A74h 0x00000033 pushad 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96B2B3 second address: 96B32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F46A0F60136h 0x0000000a popad 0x0000000b jmp 00007F46A0F6013Eh 0x00000010 popad 0x00000011 xor dword ptr [esp], 7ED52A74h 0x00000018 pushad 0x00000019 mov ebx, eax 0x0000001b call 00007F46A0F6013Ch 0x00000020 movsx eax, si 0x00000023 pop ecx 0x00000024 popad 0x00000025 lea ebx, dword ptr [ebp+12445E09h] 0x0000002b push ebx 0x0000002c push ebx 0x0000002d jmp 00007F46A0F60146h 0x00000032 pop ecx 0x00000033 pop edi 0x00000034 je 00007F46A0F60139h 0x0000003a sbb dl, FFFFFFB6h 0x0000003d xchg eax, ebx 0x0000003e jbe 00007F46A0F6013Eh 0x00000044 js 00007F46A0F60138h 0x0000004a pushad 0x0000004b popad 0x0000004c push eax 0x0000004d jbe 00007F46A0F60142h 0x00000053 jo 00007F46A0F6013Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 97CF49 second address: 97CF62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 97CF62 second address: 97CF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 97CF67 second address: 97CF6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 989F77 second address: 989F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 989F7C second address: 989F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 989F82 second address: 989F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 je 00007F46A0F6013Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 989F91 second address: 989F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A237 second address: 98A23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A23B second address: 98A25B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A25B second address: 98A25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A3B9 second address: 98A3BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A518 second address: 98A534 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F46A0F6013Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F46A0F60136h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A534 second address: 98A55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F46A06E91A6h 0x00000011 jno 00007F46A06E91A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A6EE second address: 98A6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A972 second address: 98A97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98A97A second address: 98A980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98AB0F second address: 98AB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98B1D5 second address: 98B1D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98BA55 second address: 98BA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F46A06E91A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98BA5F second address: 98BA6E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F46A0F60136h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98BA6E second address: 98BA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98BA76 second address: 98BA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98BA81 second address: 98BA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 98FF58 second address: 98FF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 991CCB second address: 991CE1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F46A06E91ACh 0x00000008 jbe 00007F46A06E91A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 995C8E second address: 995C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 995F81 second address: 995F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 995F85 second address: 995F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 995F8B second address: 995F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 995F8F second address: 995F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 996129 second address: 99612F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9963BB second address: 9963D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60140h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9963D1 second address: 9963E5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F46A06E91A8h 0x00000008 jng 00007F46A06E91AEh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 997E6D second address: 997E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999134 second address: 99913A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9991F2 second address: 9991F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9991F8 second address: 999210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46A06E91B3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999210 second address: 999252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 35083697h 0x0000000e call 00007F46A0F60139h 0x00000013 jmp 00007F46A0F6013Eh 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007F46A0F6014Ah 0x00000021 jmp 00007F46A0F60144h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999252 second address: 999276 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F46A06E91A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F46A06E91ADh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999276 second address: 99929A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F46A0F6013Bh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9997A9 second address: 9997C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999D65 second address: 999DB7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F46A0F6013Ch 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F46A0F60138h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D2FB0h], edx 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F46A0F6013Fh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999DB7 second address: 999DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 999DBB second address: 999DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99C2DF second address: 99C2E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99C2E3 second address: 99C358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F46A0F60138h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov si, cx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F46A0F60138h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 movzx edi, cx 0x00000043 push 00000000h 0x00000045 mov esi, dword ptr [ebp+122D3142h] 0x0000004b xchg eax, ebx 0x0000004c jmp 00007F46A0F60147h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99D6C2 second address: 99D6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99E1FE second address: 99E268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 ja 00007F46A0F60136h 0x0000000c jbe 00007F46A0F60136h 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, dword ptr [ebp+122D33B1h] 0x0000001b push 00000000h 0x0000001d mov dword ptr [ebp+122D340Eh], ebx 0x00000023 mov edi, eax 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F46A0F60138h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 xchg eax, ebx 0x00000042 pushad 0x00000043 jp 00007F46A0F6013Ch 0x00000049 pushad 0x0000004a jmp 00007F46A0F60140h 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99EE19 second address: 99EE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46A06E91AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99F8DE second address: 99F8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99F8E3 second address: 99F927 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F46A06E91A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F46A06E91A8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D2E77h] 0x0000002f push 00000000h 0x00000031 mov di, ax 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push esi 0x00000039 pop esi 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A2C3A second address: 9A2C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A2C3E second address: 9A2C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A4B50 second address: 9A4BD0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, dword ptr [ebp+122D233Bh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F46A0F60138h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d call 00007F46A0F60149h 0x00000032 mov ebx, 7B085A00h 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a and ebx, dword ptr [ebp+122D2A4Eh] 0x00000040 push eax 0x00000041 pushad 0x00000042 pushad 0x00000043 jmp 00007F46A0F60146h 0x00000048 jp 00007F46A0F60136h 0x0000004e popad 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A4BD0 second address: 9A4BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A5C07 second address: 9A5C0C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A6B75 second address: 9A6B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A7B95 second address: 9A7B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A9BEE second address: 9A9BFF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F46A06E91A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A9BFF second address: 9A9C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99DFA6 second address: 99DFC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ABB13 second address: 9ABB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46A0F60148h 0x00000009 push esi 0x0000000a jns 00007F46A0F60136h 0x00000010 jmp 00007F46A0F60140h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 96406D second address: 964072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B0E19 second address: 9B0E23 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B1E61 second address: 9B1E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B1E66 second address: 9B1E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A4D63 second address: 9A4D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A5DD6 second address: 9A5E03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60149h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F46A0F6013Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A7D2D second address: 9A7D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A8E15 second address: 9A8E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A9E29 second address: 9A9E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F46A06E91ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9AFFDB second address: 9AFFDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B20C1 second address: 9B213B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F46A06E91ACh 0x00000008 jns 00007F46A06E91A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+122D34FAh], eax 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov bx, 4721h 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b or bh, 0000007Ah 0x0000002e mov eax, dword ptr [ebp+122D0FF9h] 0x00000034 jmp 00007F46A06E91B1h 0x00000039 push FFFFFFFFh 0x0000003b jmp 00007F46A06E91AEh 0x00000040 nop 0x00000041 jmp 00007F46A06E91B5h 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jno 00007F46A06E91ACh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B2DE7 second address: 9B2DED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A4D67 second address: 9A4D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A5E03 second address: 9A5E0D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B2DED second address: 9B2DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A5E0D second address: 9A5E12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B2DF1 second address: 9B2DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A5E12 second address: 9A5E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B2DF5 second address: 9B2E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor bx, 2410h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F46A06E91A8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c ja 00007F46A06E91A6h 0x00000032 push 00000000h 0x00000034 call 00007F46A06E91B7h 0x00000039 jmp 00007F46A06E91B2h 0x0000003e pop edi 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 jmp 00007F46A06E91AEh 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B2E6D second address: 9B2E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46A0F60148h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B4D9E second address: 9B4DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B3FE9 second address: 9B3FEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B5E65 second address: 9B5E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B5E6B second address: 9B5EE2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F46A0F60144h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F46A0F60138h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 sbb bh, 0000004Bh 0x0000002a push 00000000h 0x0000002c jng 00007F46A0F6013Bh 0x00000032 add di, 3891h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F46A0F60138h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov di, 0C17h 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a push ecx 0x0000005b pushad 0x0000005c popad 0x0000005d pop ecx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B5EE2 second address: 9B5F18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F46A06E91B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B5F18 second address: 9B5F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B613D second address: 9B6144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B6144 second address: 9B615A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F46A0F6013Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9B615A second address: 9B615E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C130D second address: 9C131A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F46A0F60136h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C131A second address: 9C1343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F46A06E91A6h 0x00000012 jmp 00007F46A06E91B7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C0BC8 second address: 9C0BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C0BCE second address: 9C0BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F46A06E91AFh 0x0000000a jg 00007F46A06E91ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C889B second address: 9C88AE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F46A0F60138h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C88AE second address: 9C88B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C88B3 second address: 9C88D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F6013Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F46A0F60136h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C88D1 second address: 9C88D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C88D7 second address: 9C88E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F46A0F60136h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9C88E2 second address: 7F888F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jng 00007F46A06E91ACh 0x0000000e pushad 0x0000000f mov si, cx 0x00000012 stc 0x00000013 popad 0x00000014 push dword ptr [ebp+122D05E5h] 0x0000001a cmc 0x0000001b call dword ptr [ebp+122D2EA0h] 0x00000021 pushad 0x00000022 jne 00007F46A06E91ACh 0x00000028 xor eax, eax 0x0000002a xor dword ptr [ebp+122D20DDh], edx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 pushad 0x00000035 jmp 00007F46A06E91B5h 0x0000003a mov edx, dword ptr [ebp+122D29FAh] 0x00000040 popad 0x00000041 mov dword ptr [ebp+122D289Eh], eax 0x00000047 cmc 0x00000048 jmp 00007F46A06E91ADh 0x0000004d mov esi, 0000003Ch 0x00000052 or dword ptr [ebp+122D20DDh], ecx 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c cld 0x0000005d lodsw 0x0000005f jmp 00007F46A06E91B8h 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jne 00007F46A06E91BDh 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 jmp 00007F46A06E91B3h 0x00000077 nop 0x00000078 pushad 0x00000079 ja 00007F46A06E91A8h 0x0000007f push esi 0x00000080 jmp 00007F46A06E91B9h 0x00000085 pop esi 0x00000086 popad 0x00000087 push eax 0x00000088 push esi 0x00000089 pushad 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9CD25E second address: 9CD262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9CD262 second address: 9CD268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9CBF2F second address: 9CBF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F46A0F60163h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9CCB3B second address: 9CCB41 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9CCF75 second address: 9CCFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 jg 00007F46A0F60142h 0x0000000d jp 00007F46A0F60136h 0x00000013 jl 00007F46A0F60136h 0x00000019 jmp 00007F46A0F60140h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D4158 second address: 9D4175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91B1h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D4175 second address: 9D4196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F46A0F60148h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D4196 second address: 9D41AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jl 00007F46A06E91A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D41AA second address: 9D41B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D2F7E second address: 9D2F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D2F85 second address: 9D2F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D2F8D second address: 9D2F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A0BC4 second address: 9A0BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A0BCA second address: 9A0BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A0CC6 second address: 9A0CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A0CCC second address: 9A0CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A10F5 second address: 9A10F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A10F9 second address: 9A10FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A11D1 second address: 9A11D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A14A1 second address: 9A14AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F46A06E91A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A14AB second address: 9A14E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007F46A0F6013Eh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F46A0F60147h 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A14E3 second address: 9A14E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A14E9 second address: 9A151E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F46A0F60140h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b js 00007F46A0F60136h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jo 00007F46A0F60136h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A16E1 second address: 9A16E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1B17 second address: 9A1B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60141h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1B2C second address: 9A1B5E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F46A06E91A6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1BC4h], esi 0x00000013 mov edx, 31444163h 0x00000018 push 0000001Eh 0x0000001a mov ecx, dword ptr [ebp+122D1D35h] 0x00000020 nop 0x00000021 pushad 0x00000022 jno 00007F46A06E91A8h 0x00000028 js 00007F46A06E91ACh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1EDE second address: 9A1F50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60140h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007F46A0F60140h 0x00000010 nop 0x00000011 xor dword ptr [ebp+1245FC84h], ecx 0x00000017 lea eax, dword ptr [ebp+1247B938h] 0x0000001d call 00007F46A0F60149h 0x00000022 call 00007F46A0F60147h 0x00000027 mov di, bx 0x0000002a pop edi 0x0000002b pop ecx 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f jng 00007F46A0F6013Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1F50 second address: 9A1F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1F54 second address: 9A1F69 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F46A0F6013Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1F69 second address: 9A1F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D326C second address: 9D328F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46A0F60146h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D328F second address: 9D329B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F46A06E91A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D33C9 second address: 9D33CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D33CF second address: 9D33D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D33D3 second address: 9D342E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60142h 0x00000007 jmp 00007F46A0F60144h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jnl 00007F46A0F60136h 0x00000016 jmp 00007F46A0F60149h 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F46A0F6013Ah 0x00000022 popad 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D342E second address: 9D3440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 je 00007F46A06E91A8h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D3604 second address: 9D3608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D38E6 second address: 9D38EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9836C5 second address: 9836CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D82FE second address: 9D831F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46A06E91B7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D831F second address: 9D8323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8323 second address: 9D833A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A06E91B3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D860D second address: 9D863A instructions: 0x00000000 rdtsc 0x00000002 je 00007F46A0F60142h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F46A0F60142h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8905 second address: 9D8909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8909 second address: 9D890F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8B68 second address: 9D8B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8B6E second address: 9D8B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8B77 second address: 9D8B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F46A06E91A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8D01 second address: 9D8D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46A0F60146h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F46A0F60142h 0x00000011 jc 00007F46A0F60136h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D8D36 second address: 9D8D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D9161 second address: 9D9174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F6013Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9D9174 second address: 9D9179 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9DE6DB second address: 9DE6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9DE6E3 second address: 9DE6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9DE6E9 second address: 9DE6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9DE6F2 second address: 9DE6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9DE6F6 second address: 9DE6FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E25D5 second address: 9E25D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2ACF second address: 9E2AE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F46A0F6013Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2AE7 second address: 9E2AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2AED second address: 9E2AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F46A0F60136h 0x0000000a jg 00007F46A0F60136h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2C75 second address: 9E2C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46A06E91B4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2C91 second address: 9E2CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F46A0F6013Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2334 second address: 9E233A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E233A second address: 9E2348 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F6013Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E2348 second address: 9E234E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E234E second address: 9E2352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E65E1 second address: 9E65E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E65E6 second address: 9E65EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E65EC second address: 9E65F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E65F2 second address: 9E6613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F46A0F60144h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E88BD second address: 9E88C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E88C4 second address: 9E88CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9E84BD second address: 9E84C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ED711 second address: 9ED715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ED715 second address: 9ED730 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F46A06E91A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F46A06E91ADh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ECF6A second address: 9ECF74 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F46A0F60136h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ECF74 second address: 9ECF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ECF7A second address: 9ECF9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60145h 0x00000007 jg 00007F46A0F6013Eh 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ECF9B second address: 9ECFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F46A06E91A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9ED4DB second address: 9ED4F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60147h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F0A24 second address: 9F0A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F0B5D second address: 9F0B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F0C7D second address: 9F0CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F46A06E91B3h 0x0000000a pushad 0x0000000b jmp 00007F46A06E91B0h 0x00000010 jnl 00007F46A06E91A6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F77B8 second address: 9F77BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F77BE second address: 9F77C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F77C3 second address: 9F77C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F77C9 second address: 9F77CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F6284 second address: 9F628A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F6413 second address: 9F6432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F46A06E91B4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F6432 second address: 9F6436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F6436 second address: 9F6447 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F46A06E91A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F6447 second address: 9F6496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F46A0F6013Ah 0x0000000e jc 00007F46A0F60136h 0x00000014 jmp 00007F46A0F60146h 0x00000019 jns 00007F46A0F60136h 0x0000001f popad 0x00000020 jmp 00007F46A0F60149h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F660A second address: 9F6621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007F46A06E91A6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9A1B07 second address: 9A1B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F46A0F60136h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F9C09 second address: 9F9C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F9C0D second address: 9F9C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9F9C13 second address: 9F9C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F46A06E91B4h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A00B59 second address: A00B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FEBF7 second address: 9FEC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F46A06E91B9h 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FF170 second address: 9FF174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FF174 second address: 9FF184 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F46A06E91AEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FF40A second address: 9FF426 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F46A0F60143h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FF9F3 second address: 9FF9F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FF9F7 second address: 9FFA2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F46A0F60143h 0x0000000e jmp 00007F46A0F6013Fh 0x00000013 jbe 00007F46A0F60136h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFA2D second address: 9FFA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFA33 second address: 9FFA67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F6013Ah 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 push eax 0x00000013 jmp 00007F46A0F60145h 0x00000018 jng 00007F46A0F60136h 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFA67 second address: 9FFA7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46A06E91B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFA7D second address: 9FFA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFD50 second address: 9FFD5A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F46A06E91A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFD5A second address: 9FFD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F46A0F60136h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 9FFD71 second address: 9FFD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A00073 second address: A00082 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A00082 second address: A00086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A00086 second address: A0008E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0008E second address: A00096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A00096 second address: A000A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A000A0 second address: A000AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F46A06E91A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A07C90 second address: A07C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A07C98 second address: A07CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F46A06E91B0h 0x0000000b jmp 00007F46A06E91B4h 0x00000010 popad 0x00000011 pop edx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F46A06E91B2h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A07E4D second address: A07E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F46A0F60136h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A07E57 second address: A07E71 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F46A06E91A6h 0x00000008 jl 00007F46A06E91A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jp 00007F46A06E91AEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A07FB1 second address: A07FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A07FB7 second address: A07FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0838F second address: A08393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A08393 second address: A08399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A08399 second address: A083C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60143h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F46A0F6013Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A08520 second address: A0852A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0852A second address: A08540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F46A0F6013Bh 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A08540 second address: A08544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A08544 second address: A08548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0FFE5 second address: A0FFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0FFEB second address: A0FFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0FFF1 second address: A10003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F46A06E91ADh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A10569 second address: A1056D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A1056D second address: A10579 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F46A06E91A6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A1072D second address: A1075C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46A0F6013Ah 0x00000008 jno 00007F46A0F60136h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F46A0F60144h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0F617 second address: A0F61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0F61B second address: A0F61F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A0F61F second address: A0F625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A171C9 second address: A171CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A171CE second address: A171DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F46A06E91A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A171DD second address: A171E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A16D23 second address: A16D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A16D2F second address: A16D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F46A0F60136h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A16D40 second address: A16D60 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F46A06E91B5h 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A16EB6 second address: A16EE1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F46A0F6013Eh 0x00000008 jns 00007F46A0F60136h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F46A0F60147h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A16EE1 second address: A16EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A196CF second address: A196D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A196D4 second address: A196D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 954BF9 second address: 954C00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A25568 second address: A25574 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A25574 second address: A25578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A250FF second address: A2510A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F46A06E91A6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A2510A second address: A2510F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A2510F second address: A2511D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F46A06E91A6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A26B99 second address: A26BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60147h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jl 00007F46A0F60136h 0x00000010 pop edi 0x00000011 jne 00007F46A0F6013Ch 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007F46A0F60142h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A2912C second address: A29141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F46A06E91AAh 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A29141 second address: A2916F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60146h 0x00000007 je 00007F46A0F60136h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edi 0x00000011 push ebx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F46A0F60136h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A2916F second address: A29173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A2B9F2 second address: A2B9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A2BB66 second address: A2BB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F46A06E91B0h 0x0000000b jno 00007F46A06E91A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C833 second address: A3C856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60143h 0x00000007 jl 00007F46A0F60136h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C856 second address: A3C863 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F46A06E91A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C863 second address: A3C869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C869 second address: A3C86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C86E second address: A3C87E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F46A0F60136h 0x0000000a jns 00007F46A0F60136h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C87E second address: A3C882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A3C882 second address: A3C892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F46A0F6013Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A42FA9 second address: A42FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A42FAF second address: A42FC9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F46A0F60136h 0x0000000d ja 00007F46A0F60136h 0x00000013 pop eax 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A42FC9 second address: A42FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A4310F second address: A43145 instructions: 0x00000000 rdtsc 0x00000002 je 00007F46A0F60136h 0x00000008 jmp 00007F46A0F6013Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 popad 0x00000014 jne 00007F46A0F6015Ch 0x0000001a pushad 0x0000001b jmp 00007F46A0F60142h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A43145 second address: A4314B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A4314B second address: A43151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A43415 second address: A4341B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A4341B second address: A43425 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F46A0F6013Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A43425 second address: A43436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007F46A06E91A6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A4357E second address: A43582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A43582 second address: A4358E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A48282 second address: A48289 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A48289 second address: A482B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jnp 00007F46A06E91A6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F46A06E91A6h 0x0000001c jmp 00007F46A06E91B2h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A482B7 second address: A482BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A482BB second address: A482C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A47DB0 second address: A47DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A47F35 second address: A47F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A47F3A second address: A47F7F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F46A0F60138h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F46A0F6016Eh 0x00000010 jbe 00007F46A0F60153h 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007F46A0F6013Bh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A508B7 second address: A508C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A66308 second address: A6630E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A664BF second address: A664D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F46A06E91ACh 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A67DDD second address: A67DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A67DE4 second address: A67E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F46A06E91A6h 0x00000009 jmp 00007F46A06E91AFh 0x0000000e jmp 00007F46A06E91B6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F46A06E91A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A67E1B second address: A67E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A7BF07 second address: A7BF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A7BF0F second address: A7BF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F46A0F60136h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A7BF1E second address: A7BF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A7C53E second address: A7C56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 jmp 00007F46A0F60143h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F46A0F6013Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A82450 second address: A82456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A82456 second address: A8247F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46A0F60148h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F46A0F60138h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: A83A71 second address: A83A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46A06E91B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99C105 second address: 99C10F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F46A0F60136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99C10F second address: 99C114 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\lJEIftsml0.exe	RDTSC instruction interceptor: First address: 99F6C3 second address: 99F6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Special instruction interceptor: First address: 7F88CE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Special instruction interceptor: First address: 99138F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Special instruction interceptor: First address: 9A0D2F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Special instruction interceptor: First address: A1ABCE instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Code function: 0_2_007FB598 rdtsc

0_2_007FB598

Source: C:\Users\user\Desktop\lJEIftsml0.exe TID: 4708

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: lJEIftsml0.exe, lJEIftsml0.exe, 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: lJEIftsml0.exe, 00000000.00000003.2111410301.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: lJEIftsml0.exe, 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\lJEIftsml0.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\lJEIftsml0.exe	File opened: NTICE
Source: C:\Users\user\Desktop\lJEIftsml0.exe	File opened: SICE
Source: C:\Users\user\Desktop\lJEIftsml0.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\lJEIftsml0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\lJEIftsml0.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Code function: 0_2_007FB598 rdtsc

0_2_007FB598

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Code function: 0_2_007DE110 LdrInitializeThunk,

0_2_007DE110

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: lJEIftsml0.exe	String found in binary or memory: bashfulacid.lat
Source: lJEIftsml0.exe	String found in binary or memory: tentabatte.lat
Source: lJEIftsml0.exe	String found in binary or memory: curverpluch.lat
Source: lJEIftsml0.exe	String found in binary or memory: talkynicer.lat
Source: lJEIftsml0.exe	String found in binary or memory: shapestickyr.lat
Source: lJEIftsml0.exe	String found in binary or memory: manyrestro.lat
Source: lJEIftsml0.exe	String found in binary or memory: slipperyloo.lat
Source: lJEIftsml0.exe	String found in binary or memory: wordyfindy.lat
Source: lJEIftsml0.exe	String found in binary or memory: observerfry.lat

Source: lJEIftsml0.exe, 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Program Manager
Source: lJEIftsml0.exe	Binary or memory string: J8Program Manager

Source: C:\Users\user\Desktop\lJEIftsml0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lJEIftsml0.exe	66%	ReversingLabs	Win32.Trojan.Symmi
lJEIftsml0.exe	69%	Virustotal		Browse
lJEIftsml0.exe	100%	Avira	TR/Crypt.XPACK.Gen
lJEIftsml0.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
shapestickyr.lat	unknown	unknown	false	high
observerfry.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
curverpluch.lat	false	high
slipperyloo.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
observerfry.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
wordyfindy.lat	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	lJEIftsml0.exe, 00000000.00000003.2111410301.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121283206.0000000001282000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121056235.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111410301.0000000001233000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000002.2121091389.0000000001233000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001286000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111947747.0000000001280000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111759331.0000000001251000.00000004.00000020.00020000.00000000.sdmp, lJEIftsml0.exe, 00000000.00000003.2111391708.0000000001287000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580930
Start date and time:	2024-12-26 13:16:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lJEIftsml0.exe renamed because original name is a hash value
Original Sample Name:	2a477b9b4af409aba2a01fff919b7fd5.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:17:27	API Interceptor	6x Sleep call for process: lJEIftsml0.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	M7uF55qihK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	pTM2NWuTvC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DjnwNMDQhC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	0c8cY5GOMh.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tFDKSN3TdH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ghumRvJGY9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	z3IxCpcpg4.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	M7uF55qihK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	pTM2NWuTvC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DjnwNMDQhC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	0c8cY5GOMh.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tFDKSN3TdH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ghumRvJGY9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse	104.121.10.34

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	M7uF55qihK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	pTM2NWuTvC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DjnwNMDQhC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	0c8cY5GOMh.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tFDKSN3TdH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ghumRvJGY9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	z3IxCpcpg4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950051153305273
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lJEIftsml0.exe
File size:	1'830'400 bytes
MD5:	2a477b9b4af409aba2a01fff919b7fd5
SHA1:	ed3ec90b765629794ac133286fb87e608630fa96
SHA256:	6b0fb3a9b583ec2f3dbbfb1e942834aa1d2028342e4bf38df84ab4549430f612
SHA512:	9750b019b2580325db7d81a840a2f6125c2b0cb1111f32bda52cdfb80a014fe5faa34d1ba24d32c509c1295ce98c0e5a881f6fc01528291260a45c64a66d8fa7
SSDEEP:	49152:EVpsvQX7U8jL1ZZLbBiOAjegD9VOQUxYpkP6nugsF19L8d:ws4X7U8H9fAjewgsfu/ntO
TLSH:	CA8533ACCE301297C2C7D838AB05AF7C26BD21D9436CE65C841CBE796CABF5558439B1
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig.............................PH...........@...........................H...........@.................................Y@..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x885000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F46A0DCDB1Ah
bswap esp
sbb eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F46A0DCFB15h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	f4ddaa9bcdc088cdb541cf5860583d84	False	0.9994574652777778	data	7.9803248149600154	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1ac	0x200	c4249243ceaeb236e3ce8ce2ab2c9a69	False	0.5390625	data	5.249019796122045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x55000	0x29a000	0x200	d80fd668287c6f16c0b249ec06e865bb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zeguhbed	0x2ef000	0x195000	0x194e00	4c9a11977e6aa35a3162fb71e3a91623	False	0.9949323672429762	data	7.954960402364715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ghwwoioc	0x484000	0x1000	0x400	f93b84a02b359f6e3f5fa26619bce060	False	0.7529296875	data	5.952370914777083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x485000	0x3000	0x2200	26e6aad4293e0b6619f58cc8afa45a60	False	0.09846047794117647	DOS executable (COM)	1.0554044599698913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x53058	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T13:17:28.418160+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.5	54762	1.1.1.1	53	UDP
2024-12-26T13:17:28.562364+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.5	52461	1.1.1.1	53	UDP
2024-12-26T13:17:28.791178+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.5	57350	1.1.1.1	53	UDP
2024-12-26T13:17:28.993282+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.5	65250	1.1.1.1	53	UDP
2024-12-26T13:17:29.140851+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.5	51489	1.1.1.1	53	UDP
2024-12-26T13:17:29.285564+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.5	62457	1.1.1.1	53	UDP
2024-12-26T13:17:29.424550+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.5	57213	1.1.1.1	53	UDP
2024-12-26T13:17:29.566429+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.5	59629	1.1.1.1	53	UDP
2024-12-26T13:17:31.335011+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	104.102.49.254	443	TCP
2024-12-26T13:17:32.205428+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49704	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 13:17:29.855207920 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:29.855243921 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:29.855357885 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:29.856846094 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:29.856863022 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:31.334929943 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:31.335011005 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:31.341779947 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:31.341804981 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:31.342137098 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:31.395509005 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:31.538769960 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:31.583333015 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205435038 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205461025 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205466986 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205499887 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205516100 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205732107 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.205732107 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.205801964 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.205873013 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.397438049 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.397516966 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.397522926 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.397557974 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.397576094 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.398439884 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.398463964 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.398472071 CET	49704	443	192.168.2.5	104.102.49.254
Dec 26, 2024 13:17:32.398822069 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.398910999 CET	443	49704	104.102.49.254	192.168.2.5
Dec 26, 2024 13:17:32.398962975 CET	49704	443	192.168.2.5	104.102.49.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 13:17:28.194484949 CET	51167	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:28.331875086 CET	53	51167	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:28.418159962 CET	54762	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:28.560846090 CET	53	54762	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:28.562364101 CET	52461	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:28.699920893 CET	53	52461	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:28.791177988 CET	57350	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:28.929514885 CET	53	57350	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:28.993282080 CET	65250	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:29.130860090 CET	53	65250	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:29.140851021 CET	51489	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:29.283128023 CET	53	51489	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:29.285563946 CET	62457	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:29.422751904 CET	53	62457	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:29.424550056 CET	57213	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:29.562680960 CET	53	57213	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:29.566428900 CET	59629	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:29.704721928 CET	53	59629	1.1.1.1	192.168.2.5
Dec 26, 2024 13:17:29.707783937 CET	64347	53	192.168.2.5	1.1.1.1
Dec 26, 2024 13:17:29.849021912 CET	53	64347	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 13:17:28.194484949 CET	192.168.2.5	1.1.1.1	0x209f	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.418159962 CET	192.168.2.5	1.1.1.1	0xf190	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.562364101 CET	192.168.2.5	1.1.1.1	0xb344	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.791177988 CET	192.168.2.5	1.1.1.1	0x486e	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.993282080 CET	192.168.2.5	1.1.1.1	0xa85f	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.140851021 CET	192.168.2.5	1.1.1.1	0xa19e	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.285563946 CET	192.168.2.5	1.1.1.1	0xc03b	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.424550056 CET	192.168.2.5	1.1.1.1	0x2224	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.566428900 CET	192.168.2.5	1.1.1.1	0xc8f8	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.707783937 CET	192.168.2.5	1.1.1.1	0xbf3b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 13:17:28.331875086 CET	1.1.1.1	192.168.2.5	0x209f	Name error (3)	observerfry.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.560846090 CET	1.1.1.1	192.168.2.5	0xf190	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.699920893 CET	1.1.1.1	192.168.2.5	0xb344	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:28.929514885 CET	1.1.1.1	192.168.2.5	0x486e	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.130860090 CET	1.1.1.1	192.168.2.5	0xa85f	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.283128023 CET	1.1.1.1	192.168.2.5	0xa19e	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.422751904 CET	1.1.1.1	192.168.2.5	0xc03b	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.562680960 CET	1.1.1.1	192.168.2.5	0x2224	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.704721928 CET	1.1.1.1	192.168.2.5	0xc8f8	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:17:29.849021912 CET	1.1.1.1	192.168.2.5	0xbf3b	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.102.49.254	443	6544	C:\Users\user\Desktop\lJEIftsml0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 12:17:31 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-26 12:17:32 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Dec 2024 12:17:31 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=7bcd6a44c1d25d97184cbe63; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-26 12:17:32 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-26 12:17:32 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	07:17:25
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\lJEIftsml0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lJEIftsml0.exe"
Imagebase:	0x7a0000
File size:	1'830'400 bytes
MD5 hash:	2A477B9B4AF409ABA2A01FFF919B7FD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.6%
Total number of Nodes:	65
Total number of Limit Nodes:	4

Executed Functions

Function 007AB100 Relevance: 19.2, Strings: 15, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pE}G, xrefs: 007AB253
k=W?, xrefs: 007AB23F
b6j4, xrefs: 007AB57D
Gq\s, xrefs: 007AB2C1
S%U', xrefs: 007AB203
Ym]o, xrefs: 007AB2B7
yQrS, xrefs: 007AB271
hI2K, xrefs: 007AB25D
zMzO, xrefs: 007AB267
.AtC, xrefs: 007AB249
D!M#, xrefs: 007AB1F9
9]_, xrefs: 007AB28F
Gu@w, xrefs: 007AB2CB
(Y6[, xrefs: 007AB285
XyR{, xrefs: 007AB2D5

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: (Y6[$.AtC$9]_$D!M#$Gq\s$Gu@w$S%U'$XyR{$Ym]o$b6j4$hI2K$k=W?$pE}G$yQrS$zMzO
API String ID: 0-620192811
Opcode ID: 51ddaf940a1826d2b509257e4b260c8ca439e36f9484c71c5988b15581226faa
Instruction ID: c7c2fc738260525df1d2759eb07e34d48ff46efe610fb0c4f7face6ddfda115f
Opcode Fuzzy Hash: 51ddaf940a1826d2b509257e4b260c8ca439e36f9484c71c5988b15581226faa
Instruction Fuzzy Hash: B40274B1201B45DFD724CF25D891BABBBF1FB49314F008A2CD5AA8BAA1D738A414CF54

Function 007A8600 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 007A8A4B

Part of subcall function 007AB7B0: FreeLibrary.KERNEL32(007A8A31), ref: 007AB7B6
Part of subcall function 007AB7B0: FreeLibrary.KERNEL32 ref: 007AB7D7

Strings

}, xrefs: 007A8913
b]u), xrefs: 007A8877
}, xrefs: 007A890C

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: FreeLibrary$ExitProcess
String ID: b]u)$}$}
API String ID: 1614911148-2900034282
Opcode ID: c75c31bc7e59b2ba5641d0e5d5c215390b7ec44da22ea826afcd2063f03bee56
Instruction ID: 348621d3d8ec6213c79f115d981b3e60fd94fb4618483719033a1861c7ab5837
Opcode Fuzzy Hash: c75c31bc7e59b2ba5641d0e5d5c215390b7ec44da22ea826afcd2063f03bee56
Instruction Fuzzy Hash: DBC1F973E187144BC718DF69C84125AF7D6ABC4710F1EC62EA898EB351EA74DC058BC6

Function 007DE110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(007E148A,?,00000018,?,?,00000018,?,?,?), ref: 007DE13E

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 007E1720 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=<32, xrefs: 007E176D

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID: =<32
API String ID: 2994545307-852023076
Opcode ID: 1f14cf62897d2a44c11d1a2675e19e02e04b5f0157b9ad88a5fb1cdf0bb64791
Instruction ID: 600f0f4296ef7f00b6f7c6dc0932c2ccf1fd0826f9153308036cc16da570db1a
Opcode Fuzzy Hash: 1f14cf62897d2a44c11d1a2675e19e02e04b5f0157b9ad88a5fb1cdf0bb64791
Instruction Fuzzy Hash: 80318A34706384AFE7149A15DCD2B3FB3A5EB8D720F58852CE5859B2D0D738EC808782

Function 007A8A50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction ID: fb3ca347b752759e92d5ea432df8c56ce4a0e49e62db2f1a9be09b6d425508de
Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction Fuzzy Hash: 9C21C537A627184BD3108E54DCC87917761E7D9328F3E86B8C9249F3D2C97BA91386C0

Function 007A9D1E Relevance: 3.1, APIs: 2, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 007A9D98
LoadLibraryExW.KERNEL32(?,00000000), ref: 007A9E78

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 054c67db08fa60e567582992988781fb593740ddeb3fa472a2563e9de6fe44ea
Instruction ID: 14b7945cdba7a8fe7456223d443cc95b3dc69b603acc92169b7d7de9d87f8ae4
Opcode Fuzzy Hash: 054c67db08fa60e567582992988781fb593740ddeb3fa472a2563e9de6fe44ea
Instruction Fuzzy Hash: 41412274D003409FE7159F7899D6A9A7F71FB4A324F40839CD5902F3A2C635980ACBE2

Function 007DE0A0 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 007DE0E0

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5c8348b767bbff05f0710351aeca75b00446e395cbbf5befd9fb647871cc3d4c
Instruction ID: fc3c0e81569bd501beb00b2b5dc04c13d5a654723d3315f3056e77127b8bb19f
Opcode Fuzzy Hash: 5c8348b767bbff05f0710351aeca75b00446e395cbbf5befd9fb647871cc3d4c
Instruction Fuzzy Hash: D6F0A072819252FBC3112F28BD0AA5B3AB8AFC6720F254436F5019E261DA3CE816C595

Function 007A9EB7 Relevance: 1.5, APIs: 1, Instructions: 18
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 007A9ED2

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: a0223813911612e59af0edbd40fa861be50bfa0e7983e90881d85d0afdcfa93c
Instruction ID: 1ee5bbede6fd4c5df6d7cc1fa0ee00d83fc230c2520811dfd6085db08aadbadb
Opcode Fuzzy Hash: a0223813911612e59af0edbd40fa861be50bfa0e7983e90881d85d0afdcfa93c
Instruction Fuzzy Hash: C9E02B336426469BD700DB30EC87E493366EB59349705C429E215D9171EA7AA4109A10

Function 007DC570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,007DE0F9), ref: 007DC590

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 977f948efc7cb51632c47fc41278594ff4626cb36e599f164dadbf02c1c890a8
Instruction ID: fa4105515af870c9b5dfa0382fbaa23316946358a92cc5caca06276c64ea5b5f
Opcode Fuzzy Hash: 977f948efc7cb51632c47fc41278594ff4626cb36e599f164dadbf02c1c890a8
Instruction Fuzzy Hash: EED0C93281A122EBCA102F28BC15BD73B689F49220F074892F504AA175C628EC91DAD4

Function 007DC55C Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 007DC561

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 97e638001bdec5be0f16fd31772c66bc48335f1134b1ff0038b31115332c9dec
Instruction ID: 399aed514beefc61c29fa29732301bda496da47b476d1120948ef96c659f1db7
Opcode Fuzzy Hash: 97e638001bdec5be0f16fd31772c66bc48335f1134b1ff0038b31115332c9dec
Instruction Fuzzy Hash: 33A001711851109ADA562B24BC09B947B21AB58621F128191E101994F686659892DA89

Function 007F9D7E Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 007F9D8A

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec7656c0c8fbaf38f15cf0e89f8b45ac375e12006cdabe8ed0fbb8dbb628e1f5
Instruction ID: f454d87610ef3b7ad00965552c64d40c8626998530ec7561ff468a1606149c93
Opcode Fuzzy Hash: ec7656c0c8fbaf38f15cf0e89f8b45ac375e12006cdabe8ed0fbb8dbb628e1f5
Instruction Fuzzy Hash: ABD09E7540920D8FDB449FB4840C69E37A0EF04322F114A19ED75C66C0D7314C608F06

Function 007FA357 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007FA357

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 94110dfdaabc153c1cf8df9bc6b562c7ee102f4c705d55282a51bebb457b202d
Instruction ID: 8fcf9e44faeed2254afe4b5a0198d31de06a5bf2675d74c8a90aeb1f87a4fc90
Opcode Fuzzy Hash: 94110dfdaabc153c1cf8df9bc6b562c7ee102f4c705d55282a51bebb457b202d
Instruction Fuzzy Hash: 25C09BB450550D9FD7044F2544445BFF6E5EF44701B5080295E96C1B10E7770C34CE25

Non-executed Functions

Function 007B2750 Relevance: 266.3, APIs: 2, Strings: 149, Instructions: 2041COMMON

Download Yara Rule

Strings

[, xrefs: 007B3C62
<, xrefs: 007B34C9
e, xrefs: 007B3CF2
^, xrefs: 007B4471
k, xrefs: 007B3CE2
Y, xrefs: 007B281E
D, xrefs: 007B456B
`, xrefs: 007B3588
_, xrefs: 007B41E7
_, xrefs: 007B39A7
-, xrefs: 007B3B7D
+, xrefs: 007B4021
&, xrefs: 007B3C3A
d, xrefs: 007B2EF0
|, xrefs: 007B3423
9, xrefs: 007B3F91
., xrefs: 007B3C5A
A, xrefs: 007B2F30
c, xrefs: 007B3D22
!, xrefs: 007B4051
;, xrefs: 007B3967
^, xrefs: 007B3604
{, xrefs: 007B3D62
2, xrefs: 007B2B1F
E, xrefs: 007B3BF2
Z, xrefs: 007B397F
g, xrefs: 007B3D02
s, xrefs: 007B3DA2
q, xrefs: 007B3D92
m, xrefs: 007B3F89
9, xrefs: 007B3927
\, xrefs: 007B3614
@, xrefs: 007B394F
S, xrefs: 007B3FC9
/, xrefs: 007B3C2A
;, xrefs: 007B3FA1
<, xrefs: 007B336C
i, xrefs: 007B3744
r, xrefs: 007B3D9A
N, xrefs: 007B3FE9
a, xrefs: 007B295D
:, xrefs: 007B3BDA
F, xrefs: 007B395F
], xrefs: 007B3C32
X, xrefs: 007B398F
%, xrefs: 007B4031
F, xrefs: 007B2F20
o, xrefs: 007B3CC2
A, xrefs: 007B3C12
^, xrefs: 007B2D94
X, xrefs: 007B3D4A
=, xrefs: 007B34D9
j, xrefs: 007B2F58
\, xrefs: 007B464B
J, xrefs: 007B3CDA
y, xrefs: 007B34E9
D, xrefs: 007B396F
#, xrefs: 007B4061
-, xrefs: 007B3FF1
., xrefs: 007B3B82
D, xrefs: 007B4578
1, xrefs: 007B3947
1, xrefs: 007B3FD1
<, xrefs: 007B2DA3
C, xrefs: 007B3C22
*, xrefs: 007B2A6C
j, xrefs: 007B3413
/, xrefs: 007B3C9A
\, xrefs: 007B436F
^, xrefs: 007B463B
?, xrefs: 007B3F81
R, xrefs: 007B3D8A
B, xrefs: 007B393F
i, xrefs: 007B3CD2
v, xrefs: 007B3C7A
9, xrefs: 007B3977
, xrefs: 007B3C6A
o, xrefs: 007B3997
], xrefs: 007B4643
}, xrefs: 007B3D32
], xrefs: 007B4479
^, xrefs: 007B435F
L, xrefs: 007B2A71
O, xrefs: 007B3D5A
;, xrefs: 007B2F00
~, xrefs: 007B3433
S, xrefs: 007B3CA2
6, xrefs: 007B2BE4
=, xrefs: 007B3F71
', xrefs: 007B4041
%, xrefs: 007B3957
), xrefs: 007B4011
%, xrefs: 007B3C4A
D, xrefs: 007B4136
Y, xrefs: 007B3C52
_, xrefs: 007B4469
_, xrefs: 007B3C42
^, xrefs: 007B41EF
V, xrefs: 007B3D7A
y, xrefs: 007B3D52
K, xrefs: 007B3BE2
^, xrefs: 007B4734
G, xrefs: 007B3C02
k, xrefs: 007B2F60
w, xrefs: 007B3D82
0, xrefs: 007B3C1A
a, xrefs: 007B3D12
f, xrefs: 007B27B6
W, xrefs: 007B3C82
5, xrefs: 007B3FB1
2, xrefs: 007B3403
Q, xrefs: 007B3C92
], xrefs: 007B41F7
_, xrefs: 007B4633
~, xrefs: 007B2D99
/, xrefs: 007B3B87
\, xrefs: 007B473E
\, xrefs: 007B39AF
u, xrefs: 007B3D72
], xrefs: 007B360C
H, xrefs: 007B2F10
&, xrefs: 007B29D4
E, xrefs: 007B2CB1
K, xrefs: 007B4019
e, xrefs: 007B3C8A
3, xrefs: 007B3BEA
^, xrefs: 007B399F
U, xrefs: 007B3C72
], xrefs: 007B4739
/, xrefs: 007B4001
d, xrefs: 007B34B9
?, xrefs: 007B3076
h, xrefs: 007B2F68
", xrefs: 007B4059
7, xrefs: 007B3FC1
], xrefs: 007B4367
_, xrefs: 007B4357
\, xrefs: 007B41FF
_, xrefs: 007B35FC
l, xrefs: 007B3987
8, xrefs: 007B3937
L, xrefs: 007B392F
3, xrefs: 007B3FE1
\, xrefs: 007B4481
=, xrefs: 007B3C0A
n, xrefs: 007B2F38
m, xrefs: 007B3CB2
l, xrefs: 007B2F48
_, xrefs: 007B472F

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: $!$"$#$%$%$%$&$&$'$)$*$+$-$-$.$.$/$/$/$/$0$1$1$2$2$3$3$5$6$7$8$9$9$9$:$;$;$;$<$<$<$=$=$=$?$?$@$A$A$B$C$D$D$D$D$E$E$F$F$G$H$J$K$K$L$L$N$O$Q$R$S$S$U$V$W$X$X$Y$Y$Z$[$\$\$\$\$\$\$\$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$`$a$a$c$d$d$e$e$f$g$h$i$i$j$j$k$k$l$l$m$m$n$o$o$q$r$s$u$v$w$y$y${$|$}$~$~
API String ID: 0-1985396431
Opcode ID: b2028c96adc1341bb665469cb36be73d7b89636fb7797a7c3b8d7f9aac663cf1
Instruction ID: 6ca2ed15f81eaa3e6deb175583d7e52ec327bf3178272aa80f47e54792a9c250
Opcode Fuzzy Hash: b2028c96adc1341bb665469cb36be73d7b89636fb7797a7c3b8d7f9aac663cf1
Instruction Fuzzy Hash: 33139D3150C7C08ED3359B3884483AFBFE1ABD6314F198A6DE4E987392D6B98945CB53

Function 007C42D0 Relevance: 43.1, APIs: 2, Strings: 22, Instructions: 1129COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 007C43AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 007C443E

Strings

Xs, xrefs: 007C5CD8
RE|, xrefs: 007C4542
b`, xrefs: 007C55F9
tj, xrefs: 007C53BE
N~4|, xrefs: 007C593E
ut, xrefs: 007C5CE3
13, xrefs: 007C5BFC
+$e, xrefs: 007C43FA, 007C442B
bF|, xrefs: 007C464E
r:i8, xrefs: 007C5899
=:, xrefs: 007C57CE
y{, xrefs: 007C5B36
DD, xrefs: 007C5CEE
n l, xrefs: 007C596A
+$e, xrefs: 007C4365, 007C437A
e>n<, xrefs: 007C588E
gd, xrefs: 007C5E60
|r, xrefs: 007C53A8
%r?p, xrefs: 007C595F
uw, xrefs: 007C5B57
=?, xrefs: 007C5BF1
<j:h, xrefs: 007C5975

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$ n l$%r?p$<j:h$=:$DD$N~4|$RE|$Xs$bF|$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 237503144-4269729668
Opcode ID: 6c855f79908f6bf94423d6b348c16f00b87eb69e5b289fb39257295132a59297
Instruction ID: a77316f3a7af54888ba3730c1cc1af7d89c2cfe1d9363a222725808119d18f74
Opcode Fuzzy Hash: 6c855f79908f6bf94423d6b348c16f00b87eb69e5b289fb39257295132a59297
Instruction Fuzzy Hash: B9C20CB560D3848AD334CF54C452B9FBBF2FB82300F00892DD5E96B255D7B5864A8B9B

Function 007C4560 Relevance: 39.6, APIs: 1, Strings: 21, Instructions: 1081COMMON

Download Yara Rule

Strings

Xs, xrefs: 007C5CD8
RE|, xrefs: 007C4542
b`, xrefs: 007C55F9
tj, xrefs: 007C53BE
N~4|, xrefs: 007C593E
ut, xrefs: 007C5CE3
13, xrefs: 007C5BFC
+$e, xrefs: 007C442B
bF|, xrefs: 007C464E
r:i8, xrefs: 007C5899
=:, xrefs: 007C57CE
y{, xrefs: 007C5B36
DD, xrefs: 007C5CEE
n l, xrefs: 007C596A
e>n<, xrefs: 007C588E
gd, xrefs: 007C5E60
|r, xrefs: 007C53A8
%r?p, xrefs: 007C595F
uw, xrefs: 007C5B57
=?, xrefs: 007C5BF1
<j:h, xrefs: 007C5975

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: +$e$ n l$%r?p$<j:h$=:$DD$N~4|$RE|$Xs$bF|$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 0-1661947199
Opcode ID: eb0f49ab9c6c9a2eea74c37b7f9129d5002dd7ebc70480259f84e3a9bfc17818
Instruction ID: 51df89ecb8c88f1950642406d41aed206e3ecaa6a43167c5f1927f6f8b5a6f18
Opcode Fuzzy Hash: eb0f49ab9c6c9a2eea74c37b7f9129d5002dd7ebc70480259f84e3a9bfc17818
Instruction Fuzzy Hash: 8FC20CB560D3848AE334CF54C852BDFBBF2EB82300F00892DD5E96B255D7B546498B9B

Function 007C46D0 Relevance: 39.5, APIs: 1, Strings: 21, Instructions: 1047COMMON

Download Yara Rule

Strings

Xs, xrefs: 007C5CD8
RE|, xrefs: 007C4542
b`, xrefs: 007C55F9
tj, xrefs: 007C53BE
N~4|, xrefs: 007C593E
ut, xrefs: 007C5CE3
13, xrefs: 007C5BFC
+$e, xrefs: 007C442B
bF|, xrefs: 007C464E
r:i8, xrefs: 007C5899
=:, xrefs: 007C57CE
y{, xrefs: 007C5B36
DD, xrefs: 007C5CEE
n l, xrefs: 007C596A
e>n<, xrefs: 007C588E
gd, xrefs: 007C5E60
|r, xrefs: 007C53A8
%r?p, xrefs: 007C595F
uw, xrefs: 007C5B57
=?, xrefs: 007C5BF1
<j:h, xrefs: 007C5975

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: +$e$ n l$%r?p$<j:h$=:$DD$N~4|$RE|$Xs$bF|$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 0-1661947199
Opcode ID: c4e37d25a4fdada335c03bd5126af6d3fce5802ab288bb1cb28d6c7f1b626083
Instruction ID: 06575e6ae8883d13c0a6f3fdc28fdeb2077b21cc537c31b038cb4a50726a00d6
Opcode Fuzzy Hash: c4e37d25a4fdada335c03bd5126af6d3fce5802ab288bb1cb28d6c7f1b626083
Instruction Fuzzy Hash: 59C20BB560D3848AD334CF54D852BDFBAF2FB82300F00892DC5E96B255D7B5464A8B9B

Function 007C1D00 Relevance: 26.8, Strings: 21, Instructions: 506COMMON

Download Yara Rule

Strings

,, xrefs: 007C21D9
], xrefs: 007C214B
d, xrefs: 007C20D6
], xrefs: 007C23BD
^, xrefs: 007C2146
8, xrefs: 007C1F07
_, xrefs: 007C1DA4
^, xrefs: 007C1DA9
_, xrefs: 007C2141
\, xrefs: 007C23C2
9, xrefs: 007C1F0C
_, xrefs: 007C23B3
\, xrefs: 007C2150
^, xrefs: 007C23B8
!@, xrefs: 007C1D36
?, xrefs: 007C1F02
g, xrefs: 007C20CC
Z, xrefs: 007C20DB
], xrefs: 007C1DAE
\, xrefs: 007C1DB3
s, xrefs: 007C2284

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: !@$,$8$9$?$Z$\$\$\$]$]$]$^$^$^$_$_$_$d$g$s
API String ID: 0-1565257739
Opcode ID: 69aaffa91f3742f64cb5864c8a7f50803ad9c5c86243372bcf0ba42e7fa49a9f
Instruction ID: 501ddd63c1bec8bfc4ceacdce49978c49b33767dfe43268cdfcab5a6c8e62f16
Opcode Fuzzy Hash: 69aaffa91f3742f64cb5864c8a7f50803ad9c5c86243372bcf0ba42e7fa49a9f
Instruction Fuzzy Hash: C3229C7150C7808FD3249B28C485B6FBBE1AB86314F28896EE4D987392D77DD846CB43

Function 007B57C0 Relevance: 20.5, Strings: 15, Instructions: 1713COMMON

Download Yara Rule

Strings

{zdy, xrefs: 007B611D
qRb`, xrefs: 007B6133
*,-", xrefs: 007B66EF
L4, xrefs: 007B6780
L4, xrefs: 007B6BA0
t~v:, xrefs: 007B61E7
uqrs, xrefs: 007B6AF0
WQ, xrefs: 007B59E3
3F&D, xrefs: 007B6273
pt}w, xrefs: 007B61F2
_^]\, xrefs: 007B5B14
~mfQ, xrefs: 007B613E
ntxE, xrefs: 007B6112
w}MI, xrefs: 007B6128
S\], xrefs: 007B59EE

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: *,-"$3F&D$_^]\$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$S\]$WQ$L4$L4
API String ID: 0-510280711
Opcode ID: afef10de073230e966f77a124b6fc550342e08e26abd47183d7f9b23ad7dce85
Instruction ID: 737c4f488f1781f21d0ef5b71b5143dd07bf1819079024a66b669b6f3f43b8dd
Opcode Fuzzy Hash: afef10de073230e966f77a124b6fc550342e08e26abd47183d7f9b23ad7dce85
Instruction Fuzzy Hash: D9C204B1608340CFD7248F24D8957ABB7E2FF96314F19893CE5D98B296E7389901CB52

Function 007C2EF4 Relevance: 19.1, Strings: 15, Instructions: 385COMMON

Download Yara Rule

Strings

~SS}, xrefs: 007C2F37
V], xrefs: 007C31FA
].n^, xrefs: 007C2F57
Fm, xrefs: 007C31F2
g}zh, xrefs: 007C2F27
Q*RG, xrefs: 007C2F5F
wdnf, xrefs: 007C2F07
I, xrefs: 007C3048
JOSP, xrefs: 007C2F6F
- $f, xrefs: 007C3038
9#', xrefs: 007C3040
s, xrefs: 007C2FCA
%", xrefs: 007C334A
CNF8, xrefs: 007C2F3F
R03!, xrefs: 007C2F77

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: %"$- $f$9#'$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$g}zh$s$wdnf$~SS}
API String ID: 0-516266222
Opcode ID: 3ecca9790eb3fef88d3b2cafb44a54a1133eb00f6d3bc838a2403411ee432d47
Instruction ID: 9d2a432803fadb2f8412645e4e539d2f4c93ab7f919eacd80f9f13447d8559a1
Opcode Fuzzy Hash: 3ecca9790eb3fef88d3b2cafb44a54a1133eb00f6d3bc838a2403411ee432d47
Instruction Fuzzy Hash: 36C115B250C3908FD324CF6988917ABBBE1EFD2304F18896DE4D49B351D7798905CB96

Function 007D9280 Relevance: 18.2, APIs: 2, Strings: 8, Instructions: 661COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 007D98DF
SysFreeString.OLEAUT32(?), ref: 007D98E5

Strings

gd, xrefs: 007D968E
Jtuj, xrefs: 007D92E5
=hn, xrefs: 007D9676
O^, xrefs: 007D97A6
SB, xrefs: 007D979E
t"j, xrefs: 007D966E
b{tu, xrefs: 007D92D9, 007D939B
:;$%, xrefs: 007D99C0

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: FreeString
String ID: :;$%$=hn$Jtuj$O^$SB$b{tu$gd$t"j
API String ID: 3341692771-1335595022
Opcode ID: 6b11a0d547ee2fa856d3f0e5297001521c84b64c75c28ce75d231893ebad5a3b
Instruction ID: d101b26ed4a575258233190a4e20797be1b7e6b2c98fb45b940d9af0e4b609a7
Opcode Fuzzy Hash: 6b11a0d547ee2fa856d3f0e5297001521c84b64c75c28ce75d231893ebad5a3b
Instruction Fuzzy Hash: 78222376A083519BD310CF24C881B5BBBE2EFC5714F18892DE6D49B391D779D845CB82

Function 007B1D2B Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 479COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 007B1EC3

Strings

L, xrefs: 007B1D8F
a, xrefs: 007B21E6
[, xrefs: 007B21EB
?, xrefs: 007B1EE2
y, xrefs: 007B1EF2
p, xrefs: 007B2095
8, xrefs: 007B1EEA
|, xrefs: 007B2267
^, xrefs: 007B2034

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 8$?$L$[$^$a$p$y$|
API String ID: 237503144-3949209405
Opcode ID: 82fa22b3338cdbb91b1dd70b42081c62d3d9de6de9186b37a29d3bb5522a1607
Instruction ID: c5c60375e3a630dd55042eeed730ac13e046c7b892cb0f02d4abbb749b71d41f
Opcode Fuzzy Hash: 82fa22b3338cdbb91b1dd70b42081c62d3d9de6de9186b37a29d3bb5522a1607
Instruction Fuzzy Hash: 29129E7560D7808FD3649B38C4953EEBBE1AFC5324F584A2DE5D987382D6388946CB43

Function 007B60E9 Relevance: 17.1, Strings: 13, Instructions: 807COMMON

Download Yara Rule

Strings

{zdy, xrefs: 007B611D
qRb`, xrefs: 007B6133
*,-", xrefs: 007B66EF
L4, xrefs: 007B6780
L4, xrefs: 007B6BA0
t~v:, xrefs: 007B61E7
uqrs, xrefs: 007B6AF0
3F&D, xrefs: 007B6273
pt}w, xrefs: 007B61F2
~mfQ, xrefs: 007B613E
ntxE, xrefs: 007B6112
w}MI, xrefs: 007B6128
JyTK, xrefs: 007B6160

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: *,-"$3F&D$JyTK$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$L4$L4
API String ID: 0-2746398225
Opcode ID: 6218d746ab2fae37aba7f6502bb2714e5e49fa34fda7fda578b86654b67fc698
Instruction ID: cf349a8030875663d7cdebfe3f22f946f23795f6f8aed2aa52d43973b13a56e2
Opcode Fuzzy Hash: 6218d746ab2fae37aba7f6502bb2714e5e49fa34fda7fda578b86654b67fc698
Instruction Fuzzy Hash: 4E4214B2608290CFD7248F28D8957ABB7E2FFD6314F19893CD5D98B256D7389805CB42

Function 007AF60D Relevance: 16.6, APIs: 1, Strings: 8, Instructions: 845COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(?), ref: 007AFDFC

Strings

6, xrefs: 007AF620
#, xrefs: 007AF721
m, xrefs: 007AF8F4
\, xrefs: 007AFB0F
g, xrefs: 007AF9EA
=, xrefs: 007AF978
w, xrefs: 007AFAAD
x, xrefs: 007AFBD4

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #$6$=$\$g$m$w$x
API String ID: 237503144-139252074
Opcode ID: 6cd32e02e767d78fa2c1b22617b98508344b7b090bb911b9346fe71482b7ac3d
Instruction ID: eaf1f6ddc826cf5a19cc7f72f54b6d543363e8d4097afe3b73792ed8e494d4fd
Opcode Fuzzy Hash: 6cd32e02e767d78fa2c1b22617b98508344b7b090bb911b9346fe71482b7ac3d
Instruction Fuzzy Hash: E172863261D7908BD328DA78C85539FBAD2ABD6324F198B3DE4E9C73D2D67885018743

Function 007C7740 Relevance: 16.6, Strings: 13, Instructions: 338COMMON

Download Yara Rule

Strings

1Q>S, xrefs: 007C7FA4
!A/C, xrefs: 007C7FD0
f!V#, xrefs: 007C7F78
}9F;, xrefs: 007C7F62
s1z3, xrefs: 007C7F4C
DE, xrefs: 007C7FDB
P-X/, xrefs: 007C7F99
O=q?, xrefs: 007C7F6D
r, xrefs: 007C831A
$Y)[, xrefs: 007C7FBA
}5x7, xrefs: 007C7F57
Z)o+, xrefs: 007C7F8E
S%g', xrefs: 007C7F83

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: !A/C$$Y)[$1Q>S$DE$O=q?$P-X/$S%g'$Z)o+$f!V#$r$s1z3$}5x7$}9F;
API String ID: 0-3413813421
Opcode ID: d388c9dd8f912a5c5bc16083cc64299d9765947138833f63acbcf10b1a73b001
Instruction ID: 3f4c302e62cda4378434195313a7c05bffa0d2eecd3ade4113390560e3731c23
Opcode Fuzzy Hash: d388c9dd8f912a5c5bc16083cc64299d9765947138833f63acbcf10b1a73b001
Instruction Fuzzy Hash: 61C1DCB060C380CFD728DF29D855B6BBBF1EF85314F04896CE1998B262D7389905CB96

Function 007B1227 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 750COMMON

Download Yara Rule

Strings

>, xrefs: 007B16FF
[, xrefs: 007B1555
L, xrefs: 007B1846
F, xrefs: 007B184E
@, xrefs: 007B17D0
`, xrefs: 007B13A4
+, xrefs: 007B17CB
), xrefs: 007B1A4D

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: )$+$>$@$F$L$[$`
API String ID: 0-4163809010
Opcode ID: 3ca2aa4833065a543f58cfbd7f70bbbb8ecd9298b87183c7232bcb18c7212c40
Instruction ID: 3447729da50ca6b6c2527ee04e287877ba318c22848ff407b5f265900dbd71c3
Opcode Fuzzy Hash: 3ca2aa4833065a543f58cfbd7f70bbbb8ecd9298b87183c7232bcb18c7212c40
Instruction Fuzzy Hash: 6E52807160D7808FD3249B38C4953EFBBE1ABD6320F598A2DE5D9C7382D67889418B53

Function 007BC8A0 Relevance: 15.6, Strings: 12, Instructions: 585COMMON

Download Yara Rule

Strings

a`|v, xrefs: 007BC8A1
\701, xrefs: 007BCF55
\701, xrefs: 007BCF03, 007BCF0C
*", xrefs: 007BCE7A
wt, xrefs: 007BCB3E
"nl, xrefs: 007BCC10
#M%O, xrefs: 007BC9FA
uvw, xrefs: 007BCA0A
AC, xrefs: 007BCCF8
pv, xrefs: 007BCB36
MO, xrefs: 007BCD10
4UW, xrefs: 007BCCE0

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: "nl$#M%O$*"$4UW$\701$\701$a`|v$wt$AC$MO$pv$uvw
API String ID: 0-635595044
Opcode ID: d72b519e5d7fb7ed7d3510f07598145a018481752953312f0404954ac8d4e249
Instruction ID: bef4572cbebc4ffbf7af2543abec1adcf511b12f9bde039e635289805e7e027d
Opcode Fuzzy Hash: d72b519e5d7fb7ed7d3510f07598145a018481752953312f0404954ac8d4e249
Instruction Fuzzy Hash: 0702C0B6A0C3408BD7149F28D8916ABBBF1EFD5314F198D2CF4C58B351D2389A09CB96

Function 007D8EA0 Relevance: 15.3, Strings: 12, Instructions: 287COMMON

Download Yara Rule

Strings

], xrefs: 007D8F46
\, xrefs: 007D919B
], xrefs: 007D9196
_, xrefs: 007D8F3C
], xrefs: 007D905E
\, xrefs: 007D9063
_, xrefs: 007D9054
^, xrefs: 007D8F41
^, xrefs: 007D9059
\, xrefs: 007D8F4B
^, xrefs: 007D9191
_, xrefs: 007D918C

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: \$\$\$]$]$]$^$^$^$_$_$_
API String ID: 0-1108506012
Opcode ID: 29ec6932f2c0ca40086b8b5aeb29686346eb1874bdf95955053ec11bea61ffa6
Instruction ID: f39302b3347154fc5daa76f358bf92ae46d0cb6d5e18503a3c54ca4b126c7736
Opcode Fuzzy Hash: 29ec6932f2c0ca40086b8b5aeb29686346eb1874bdf95955053ec11bea61ffa6
Instruction Fuzzy Hash: A6B1197164D3858BD3148A28CC8435BBFE2A7C6318F1D4B2EE5E9473C2D6BDD8458746

Function 0095A235 Relevance: 12.9, Strings: 9, Instructions: 1659COMMON

Download Yara Rule

Strings

JT?, xrefs: 0095ACEF
@dk, xrefs: 0095B35F
AY, xrefs: 0095A27D
DS, xrefs: 0095AA9A
,>{v, xrefs: 0095A78F
oXu?, xrefs: 0095B556
yw, xrefs: 0095AE7C
)!f;, xrefs: 0095B212
yw, xrefs: 0095AE93

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: )!f;$,>{v$@dk$AY$DS$JT?$oXu?$yw$yw
API String ID: 0-3146273031
Opcode ID: cd58940c5da69939d6ec4b79ef81bd24876cabf927e7fdec390fe365236fcfa0
Instruction ID: fa133fb909dcbb14c171422c913c9ad2299282b4c919ca15b969503acb375de3
Opcode Fuzzy Hash: cd58940c5da69939d6ec4b79ef81bd24876cabf927e7fdec390fe365236fcfa0
Instruction Fuzzy Hash: A1B21BF3A0C204AFE3046E2DEC8567AFBE9EF94720F1A453DE6C4C7744E67598018696

Function 007B9AD0 Relevance: 12.1, APIs: 2, Strings: 4, Instructions: 1641COMMON

Download Yara Rule

APIs

Part of subcall function 007DE110: LdrInitializeThunk.NTDLL(007E148A,?,00000018,?,?,00000018,?,?,?), ref: 007DE13E

FreeLibrary.KERNEL32(?), ref: 007BA21A
FreeLibrary.KERNEL32(?), ref: 007BA2AB

Strings

_^]\, xrefs: 007BAAAE
_^]\, xrefs: 007BA0E5
_^]\, xrefs: 007B9B05
VX, xrefs: 007B9F94

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: VX$_^]\$_^]\$_^]\
API String ID: 764372645-2822990893
Opcode ID: 54c44a2b1244da059b6b8ee43dd2dcc26ca527b80d2ad8375b45b3d7f028be89
Instruction ID: 1a9a0750dbe0014975e6c0c5f543775e5d88d8277132eaeb939ac4a2d302db36
Opcode Fuzzy Hash: 54c44a2b1244da059b6b8ee43dd2dcc26ca527b80d2ad8375b45b3d7f028be89
Instruction Fuzzy Hash: 16A258B6B093406BD7289B24CC917ABBBD3FBD5314F29C52CE59587292D63ADC028742

Function 007BEB80 Relevance: 12.1, Strings: 9, Instructions: 812COMMON

Download Yara Rule

Strings

f>mI, xrefs: 007BEED0
, xrefs: 007BF25F, 007BF26A, 007BF29C
hch&, xrefs: 007BEEA8
AL, xrefs: 007BEF3D
t|f, xrefs: 007BEE88
O}nl, xrefs: 007BEED8
Yxqs, xrefs: 007BEEC8
uvqs, xrefs: 007BEEC0
CPm5, xrefs: 007BEEE0

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: AL$CPm5$O}nl$Yxqs$f>mI$hch&$t|f$uvqs$
API String ID: 0-1556426300
Opcode ID: 39cf3f0894edab152885aad8fadd641f90a8d23c9f42191438998c90d31bb91e
Instruction ID: a5e26b65f4a8b3c5de7864e93625d721081caeea3d1d47312b783759334c1248
Opcode Fuzzy Hash: 39cf3f0894edab152885aad8fadd641f90a8d23c9f42191438998c90d31bb91e
Instruction Fuzzy Hash: 2452137050C3918FC725CF28C8407AEBBE1AF95714F188A6DE4E59B392D739D906CB92

Function 00962A3B Relevance: 11.6, Strings: 8, Instructions: 1582COMMON

Download Yara Rule

Strings

bOo8, xrefs: 00963A13
aEwo, xrefs: 00963CBF
!Q_3, xrefs: 00963576
+g6z, xrefs: 00962D38
?Kf{, xrefs: 00963968
3F, xrefs: 00962CFE
-Hw[, xrefs: 00962DEB
'g6z, xrefs: 00962D32

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: !Q_3$'g6z$+g6z$-Hw[$?Kf{$aEwo$bOo8$3F
API String ID: 0-910692812
Opcode ID: b401eab06df8d9bbea00710e6932e904150aafaa3576fce1f04e38071cecc838
Instruction ID: 0d89342f1d1c2a0ecc1c0259521a845ce30beffd16ea3cd810313b61a19f3c58
Opcode Fuzzy Hash: b401eab06df8d9bbea00710e6932e904150aafaa3576fce1f04e38071cecc838
Instruction Fuzzy Hash: 32B216F3A0C2049FE304AE2DEC8567AB7E9EF94720F16893DE6C5C3744EA3558058697

Function 007CB980 Relevance: 10.3, Strings: 8, Instructions: 329COMMON

Download Yara Rule

Strings

pMC@, xrefs: 007CBC3A
:/', xrefs: 007CBBFE
AZDH, xrefs: 007CBC44
" , xrefs: 007CBC08
220, xrefs: 007CBBE0
nV[k, xrefs: 007CBC30
UXWZ, xrefs: 007CBC26
47:, xrefs: 007CBBD6

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 47:$ " $220$AZDH$UXWZ$nV[k$pMC@$:/'
API String ID: 0-3711047884
Opcode ID: a3b2ee020d8fd3708b62a0bc12fa0c10b058fd675e21806577c25784d87d1165
Instruction ID: bfbe46b76c98d8eaeb40eecf3d20d84584452e5f5a8f89db771c4e970fbf3f68
Opcode Fuzzy Hash: a3b2ee020d8fd3708b62a0bc12fa0c10b058fd675e21806577c25784d87d1165
Instruction Fuzzy Hash: AEC17BB4900B819FD320EF3995467A3BFF0AB06300F444A5DE4EB4B695E734601ACBD6

Function 007D88B0 Relevance: 10.3, Strings: 8, Instructions: 281COMMON

Download Yara Rule

Strings

X, xrefs: 007D88C3
Z, xrefs: 007D8932
Y, xrefs: 007D88C7
q, xrefs: 007D8A23
Y, xrefs: 007D892E
Z, xrefs: 007D88CB
X, xrefs: 007D892A
}, xrefs: 007D8A27

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: X$X$Y$Y$Z$Z$q$}
API String ID: 0-540668698
Opcode ID: 92023e53b11931f45d32f5ecdcf6ed19e405229557f51b4b8869f4eaeec5f576
Instruction ID: 706ae228b3f3ebc1c98e64b9644f0d9588c106d97a42938f069fc8c9b38d7efd
Opcode Fuzzy Hash: 92023e53b11931f45d32f5ecdcf6ed19e405229557f51b4b8869f4eaeec5f576
Instruction Fuzzy Hash: BFA11C63E087D94ADB1189FC8C543EEAFB25B96220F1D8776C8F1E73C6D56D49028362

Function 007B747D Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1238COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007B75C5

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 5b808669edea12f0ee985eba4da9b80ddfa71b11740ae1565364e9809ba215e3
Instruction ID: 6384dbd918bcac7c5f8a49afbbaaacd72b2d900a25c290add80ff5d23c944458
Opcode Fuzzy Hash: 5b808669edea12f0ee985eba4da9b80ddfa71b11740ae1565364e9809ba215e3
Instruction Fuzzy Hash: B08246715083518BC728CF28C8917ABB7E1FFD9354F198A6CE8D58B3A5E7388901CB52

Function 007A9310 Relevance: 9.2, Strings: 7, Instructions: 431COMMON

Download Yara Rule

Strings

PTvu, xrefs: 007A96F3
WAg., xrefs: 007A943E
A, xrefs: 007A9698
,6.2, xrefs: 007A9446
cbrn, xrefs: 007A93EE
FM, xrefs: 007A9370
;"I, xrefs: 007A944E

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ;"I$,6.2$A$FM$PTvu$WAg.$cbrn
API String ID: 0-3116088196
Opcode ID: c9e207116f0d0e1d3c010b878aae285ff6d7d53aed98aae9b503113e93668ba5
Instruction ID: e362d9839f9b9f305fa7d20a8ea1e6c5f820e6ff6e0319e9567f23dc7ce5e452
Opcode Fuzzy Hash: c9e207116f0d0e1d3c010b878aae285ff6d7d53aed98aae9b503113e93668ba5
Instruction Fuzzy Hash: ACC12571A4C3D54BD322CF6994A036BFFD19FD7210F084AACE5D51B386D279890ACB92

Function 007C6D2E Relevance: 8.0, Strings: 6, Instructions: 482COMMON

Download Yara Rule

Strings

\R, xrefs: 007C6DAC
uYD\, xrefs: 007C6E3D
X^, xrefs: 007C6DA5
PV, xrefs: 007C6DB3
_^]\_^]\, xrefs: 007C7064
rq|, xrefs: 007C715F

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\_^]\$rq|$uYD\$PV$X^$\R
API String ID: 0-182583306
Opcode ID: 7c04589572288f20d92f00aa95b8abce4c92f698d6fff09021ec15f4302669cc
Instruction ID: 7b245c93f4f09df5ee1e4bfd5e2364af84ba8d9bd25b33aee60a5c002f461470
Opcode Fuzzy Hash: 7c04589572288f20d92f00aa95b8abce4c92f698d6fff09021ec15f4302669cc
Instruction Fuzzy Hash: 5CF1EEB1E05254CFDB18CFA8D881AAEBBB1FB49310F18846CD642AB351D779A941CF94

Function 007AAB40 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

>, xrefs: 007AAB5E
]><, xrefs: 007AAC83
HYZF, xrefs: 007AAE40
HYZF, xrefs: 007AAE05, 007AB07E, 007AB075
UMAG, xrefs: 007AAEF0
Y2^0, xrefs: 007AAC7B

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: >$HYZF$HYZF$UMAG$Y2^0$]><
API String ID: 0-2666672646
Opcode ID: b3edb71e010b953d07baaf2191bb009951ab10f559a19c356a70e1d9c711dcb2
Instruction ID: eadd6b41f03fd9e0f1d6bace9365a4507009095958552f53c68d44027eacd502
Opcode Fuzzy Hash: b3edb71e010b953d07baaf2191bb009951ab10f559a19c356a70e1d9c711dcb2
Instruction Fuzzy Hash: 1DE12A7674C7508BD324CF6888512AFBBE29FC2304F188A2DE5E59B346DB79C905C786

Function 007C81CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 007C84BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 007C85B4

Strings

_^]\, xrefs: 007C8A15
LF7Y, xrefs: 007C8951

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: 8f526f0e3bf44e4ebd9b482da3ef2a9cc679c987ca51a8c74ea92db4b578f60f
Instruction ID: 42a95d95c0fde859de21a55a338b12b029fccc1b4e2d9119d775e277ccc8cf75
Opcode Fuzzy Hash: 8f526f0e3bf44e4ebd9b482da3ef2a9cc679c987ca51a8c74ea92db4b578f60f
Instruction Fuzzy Hash: 2C22E371509381CFD3288F28D880B2FB7E1BF89310F198A7CE9955B3A1D7399A51CB56

Function 007C83D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 007C84BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 007C85B4

Strings

_^]\, xrefs: 007C8A15
LF7Y, xrefs: 007C8951

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: 5e2246a6522c9f33d944e36d69b65e64f4724d1632b65f772cf145c233e377bf
Instruction ID: 1c8e92dba71426b4bc61eeabacf1f0b0297cba32c831a65bc574039136fb3251
Opcode Fuzzy Hash: 5e2246a6522c9f33d944e36d69b65e64f4724d1632b65f772cf145c233e377bf
Instruction Fuzzy Hash: 0512D271909381CFD3248F28D880B1FBBE1BF89314F198A6CE9955B3A1D739DA41CB56

Function 007DCDF0 Relevance: 6.9, Strings: 5, Instructions: 697COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007DD006
jiP, xrefs: 007DD301
fiP, xrefs: 007DD2CF
f, xrefs: 007DD081
_^]\, xrefs: 007DCE29

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\$_^]\$f$fiP$jiP
API String ID: 2994545307-2734853458
Opcode ID: 6b72b0f14b972606ea15362f4ffc8f83dd17a1ba9dbd7e5b87c786bb90c0fbe2
Instruction ID: 7cc9079e9c7b0e571d1e6f6fce1c46164e960ab40dce1bb96c1c0409bfd5230e
Opcode Fuzzy Hash: 6b72b0f14b972606ea15362f4ffc8f83dd17a1ba9dbd7e5b87c786bb90c0fbe2
Instruction Fuzzy Hash: 292208716083429FC729CF18C89072EBBF2EBD9314F19892DE4959B395D635EC41CB52

Function 00960F1E Relevance: 6.6, Strings: 4, Instructions: 1634COMMON

Download Yara Rule

Strings

M:~, xrefs: 00961215
w~z, xrefs: 00961B3A
M?s, xrefs: 00961CAE
6r4, xrefs: 0096121F

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 6r4$M:~$M?s$w~z
API String ID: 0-1334287604
Opcode ID: 390f2da1a9d6af3b31154840d97c1f93f0ab4280bb3c31b6b3aac6905795f7de
Instruction ID: dd2defba6df4fdf06b85b551629434b130579cd457396275537d6c466b175ab9
Opcode Fuzzy Hash: 390f2da1a9d6af3b31154840d97c1f93f0ab4280bb3c31b6b3aac6905795f7de
Instruction Fuzzy Hash: 63B2FAF360C204AFE304AE2DEC8567AB7E9EF94720F1A493DE6C5C3744E63598058697

Function 007C24E0 Relevance: 6.6, Strings: 5, Instructions: 304COMMON

Download Yara Rule

Strings

.[TU, xrefs: 007C2538
"_,Y, xrefs: 007C2530
pCj], xrefs: 007C2528
=K0E, xrefs: 007C2544
;GsA, xrefs: 007C2520

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: "_,Y$.[TU$;GsA$=K0E$pCj]
API String ID: 0-1171452581
Opcode ID: 062baa3ea153f57f0fca2b726dac1c40b9e10867945ade768b1b2e5db7aa81ef
Instruction ID: baaee94f8c161eb5a7b6299aa6e489a2d3b65ad7a1287c382711d116b1417fb8
Opcode Fuzzy Hash: 062baa3ea153f57f0fca2b726dac1c40b9e10867945ade768b1b2e5db7aa81ef
Instruction Fuzzy Hash: 949102B16083009BC714DF24C895F67B7F5EF95324F18852CE9898B292E779E906CB62

Function 007C1340 Relevance: 5.5, Strings: 4, Instructions: 493COMMON

Download Yara Rule

Strings

9deZ, xrefs: 007C1818
{s, xrefs: 007C1520
sp, xrefs: 007C1528
eb, xrefs: 007C16F6

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 9deZ$eb$sp${s
API String ID: 0-3993331145
Opcode ID: bc9a4f4558626b93b5bdeb6673489a8cee405e251882d12a2030cdc585f4de17
Instruction ID: e909d419d32f7436c8eb27cedc394a5c6297a523738e9167c857339f3b0e2c7b
Opcode Fuzzy Hash: bc9a4f4558626b93b5bdeb6673489a8cee405e251882d12a2030cdc585f4de17
Instruction Fuzzy Hash: BAD1D2B15183148BC728DF24C8A1B6BB7E1FFD6354F489A2CE4968B3A1E778D904C752

Function 007C91AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 007C91DA

Strings

wpq, xrefs: 007C92B7
+Ku, xrefs: 007C92AF

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +Ku$wpq
API String ID: 237503144-1953850642
Opcode ID: c0825d09a7bded2a46cf5693d31fb4c8aafc693c59fc195e0aa2dc557ac669d7
Instruction ID: 204d29bcc786f94c7faf7dc77b241f3cf259b48073d3d35d708f468bb2ff5b2e
Opcode Fuzzy Hash: c0825d09a7bded2a46cf5693d31fb4c8aafc693c59fc195e0aa2dc557ac669d7
Instruction Fuzzy Hash: 7651CC7220C3518FC324CF29984076FB7E2EBC5310F15892DE599CB281DB74D50ACB92

Function 007D7DA9 Relevance: 5.4, Strings: 4, Instructions: 421COMMON

Download Yara Rule

Strings

\, xrefs: 007D824E
], xrefs: 007D824A
^, xrefs: 007D8246
_, xrefs: 007D8242

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: \$]$^$_
API String ID: 0-1726580471
Opcode ID: 74c9f73d96cd2f002a5e0c74778ab23fd38f71d2ff6ac3795c0c4ebfa35e9baa
Instruction ID: a16ff3e9df347ac173da0dfbe0cd44c4eafe153ceedf97dbf50e95c4697e8423
Opcode Fuzzy Hash: 74c9f73d96cd2f002a5e0c74778ab23fd38f71d2ff6ac3795c0c4ebfa35e9baa
Instruction Fuzzy Hash: 09227D215087D5CED326CB3C8848B497FA11B67324F0E82D9D4E95F3F3C6A9894AC766

Function 0095357E Relevance: 5.4, Strings: 3, Instructions: 1601COMMON

Download Yara Rule

Strings

]>], xrefs: 00953B65
#Um, xrefs: 0095380D
&'wv, xrefs: 009546E7

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: #Um$&'wv$]>]
API String ID: 0-845870005
Opcode ID: 5c57e45387d2b6003d409d0f8e450f7041fc9943f24df25b782bd433274d2244
Instruction ID: a84e87634207094ccb85b980becb9e1db9dc67ccab3a867c8955e732dccd4985
Opcode Fuzzy Hash: 5c57e45387d2b6003d409d0f8e450f7041fc9943f24df25b782bd433274d2244
Instruction Fuzzy Hash: 5EB218F3A0C2049FD714AE2DEC8567AFBE9EF94720F16493DEAC5D3340EA3558048696

Function 007C90D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 007C9170

Strings

M/(, xrefs: 007C913D
M/(, xrefs: 007C919E

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M/($M/(
API String ID: 237503144-1710806632
Opcode ID: b1fcd5866a2299fa7519f74490f652c65a952edecc9be8502ef07ae2e65340a9
Instruction ID: 3fae193bf5bff1c7b77f96c19c9a2b9f5186a765480b52f928272cac03189cc5
Opcode Fuzzy Hash: b1fcd5866a2299fa7519f74490f652c65a952edecc9be8502ef07ae2e65340a9
Instruction Fuzzy Hash: 1D210171A583519FE714CE349886B9BB7AAEBC6700F01892CA0919B1C5D679880B8756

Function 007CC9EB Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

EXCm, xrefs: 007CC8F5
EXCm, xrefs: 007CC9FE
_^]\, xrefs: 007CC96F
_^]\, xrefs: 007CCA6F

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: EXCm$EXCm$_^]\$_^]\
API String ID: 0-1657758763
Opcode ID: 4510f3778cc9153dda46b2e1d2407b38eb8b2ac1704fc2bb9e674a0ecc8ac2bb
Instruction ID: 12de2951f8f7b1f05c48a9f878ef5a13d9c46c41d7256ccc9e3aa0ef287972b4
Opcode Fuzzy Hash: 4510f3778cc9153dda46b2e1d2407b38eb8b2ac1704fc2bb9e674a0ecc8ac2bb
Instruction Fuzzy Hash: C151C4701056928BD726CF3A80A0B77BBD1AF57304F1DC5ACC4DB8F652D639A986CB50

Function 007CA5B6 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

VN, xrefs: 007CA520
VN, xrefs: 007CA5C6
i, xrefs: 007CA527
i, xrefs: 007CA5CD

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: VN$VN$i$i
API String ID: 0-1885346908
Opcode ID: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction ID: d6efaeee70194a410532dc4750fd4b15e8645be2cbdc93e0ad9e953adb82d36e
Opcode Fuzzy Hash: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction Fuzzy Hash: F421052114C3848AD3058E75A0407A6FBE3ABC632DF28865ED4F15F391EA3FC90A8757

Function 007B4CA0 Relevance: 4.8, Strings: 3, Instructions: 1046COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007B5715
D]+\, xrefs: 007B5380
7U{, xrefs: 007B5528

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 7U{$D]+\$_^]\
API String ID: 0-494750798
Opcode ID: f644d71fa7673ab27542293e9aaa8e18a5f64305de60ce1eabab03db7a57badb
Instruction ID: 1fdca1cbe1c8664c56b52a01b86f0d3b883421ddd87698d69e93a34b2a956505
Opcode Fuzzy Hash: f644d71fa7673ab27542293e9aaa8e18a5f64305de60ce1eabab03db7a57badb
Instruction Fuzzy Hash: 17527670609340DBD7159F28EC92B7BB3E1FF99314F18892CE5868B291E739E901CB56

Function 007D9D30 Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007D9F20
_^]\, xrefs: 007D9D60
_^]\, xrefs: 007DA261, 007D9F06

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\$_^]\$_^]\
API String ID: 0-3175222818
Opcode ID: b2a3a7609a54c7b38b1d63acf2cdd050d50141d83062c57b3c79ae02e2dcf0b9
Instruction ID: 3050588f5be2cd7c4a842a4e2adf5c23bd974c148a13efaa64e8baabf82b9163
Opcode Fuzzy Hash: b2a3a7609a54c7b38b1d63acf2cdd050d50141d83062c57b3c79ae02e2dcf0b9
Instruction Fuzzy Hash: D2D14776A083109BD714CE25C8C162BBBB2FBC5714F19CA2EE5D957391D775AC02C782

Function 0095BD67 Relevance: 4.1, Strings: 2, Instructions: 1647COMMON

Download Yara Rule

Strings

2rFw, xrefs: 0095C4B3
2z}, xrefs: 0095C33D

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 2z}$2rFw
API String ID: 0-440357510
Opcode ID: f04c72b44c1c3e65e027db1327e5180e5efb9ad58e9d31fe658ea16c098a8b59
Instruction ID: 7a53c0cf9a59ba6cb7bfca12af7f76e3e3b770b6fb35ceb2afedf683d06d56cc
Opcode Fuzzy Hash: f04c72b44c1c3e65e027db1327e5180e5efb9ad58e9d31fe658ea16c098a8b59
Instruction Fuzzy Hash: 41B218F360C2049FE308AE2DEC8567ABBE9EB94320F16853DE6C5C7744EA3558058797

Function 007CA0CA Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

<\hX, xrefs: 007CA236
_^]\, xrefs: 007CA49C, 007CA188
.txt, xrefs: 007CA371

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: .txt$<\hX$_^]\
API String ID: 0-3117400391
Opcode ID: f555a63bdd09ad2ea53d10c7151be64bb78ae3d558cd52846ed5dafcfabc76af
Instruction ID: 2bedd81470494f66c62189774964faf52abae02853e80ffacbbbf9d4a8898d9e
Opcode Fuzzy Hash: f555a63bdd09ad2ea53d10c7151be64bb78ae3d558cd52846ed5dafcfabc76af
Instruction Fuzzy Hash: A3C1257150C384EFD708DF28DC91A2ABBE6AFC9315F188A6CF095472A2D7399945CB12

Function 007BD003 Relevance: 3.4, Strings: 2, Instructions: 883COMMON

Download Yara Rule

Strings

[V, xrefs: 007BD4DD
bh, xrefs: 007BD4D6

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: [V$bh
API String ID: 0-2174178241
Opcode ID: 7165e76688945f307a2fc408b9c783e9dc3ce6a3de1e51f5e0f011f50d8d6b4b
Instruction ID: 0b259564cacbfbde133e3d7c801fd6d07855c1e6c422c77eca6957a2ea3ca068
Opcode Fuzzy Hash: 7165e76688945f307a2fc408b9c783e9dc3ce6a3de1e51f5e0f011f50d8d6b4b
Instruction Fuzzy Hash: C53203B1901615CBCB34CF28C8927B7B7B1FF95310B198268D8969B395F738AD42CB91

Function 007A4BA0 Relevance: 3.3, Strings: 2, Instructions: 832COMMON

Download Yara Rule

Strings

8, xrefs: 007A5505
0, xrefs: 007A550D

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9f29771e1313cdb2880f67789c6805362c994a24bdd4b453d12c4284291970c5
Instruction ID: 82a62f98fd31c2a77520f2a9067c6ed39a7bedc3ca0e2052c71f31d8899b422a
Opcode Fuzzy Hash: 9f29771e1313cdb2880f67789c6805362c994a24bdd4b453d12c4284291970c5
Instruction Fuzzy Hash: 607237716083409FD714CF18C884BABBBE1AFD9314F588A1DF9898B392D379D954CB92

Function 007E0D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

, xrefs: 007E0DC3, 007E0EAB
@Ukx, xrefs: 007E0F53

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID: @Ukx$
API String ID: 2994545307-3636270652
Opcode ID: 6d03269f7eadff8804a2cd6a6b435c2b6f4f4cbf13b669100203fa515c52ce72
Instruction ID: a98d49d8e9c07fb88e64b94bcfe3476291d3f64906d237f6702aea388c8f6734
Opcode Fuzzy Hash: 6d03269f7eadff8804a2cd6a6b435c2b6f4f4cbf13b669100203fa515c52ce72
Instruction Fuzzy Hash: 22B17732B093904BC728CE29DCD22BBB7A2EBC9314F19C53CD9865B385DA799C458781

Function 007B961B Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

wt, xrefs: 007B98CB
&, xrefs: 007B97D7

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: &$wt
API String ID: 0-2890898390
Opcode ID: ee54e4bca0dcf40e7b4f62a5daaed8ec31b61dcc94c29a78202a248f0953fa33
Instruction ID: 031e5fd28c9ab0e5ed1a5e5e14a9aeb15658c4e6706262e0b855df734ca66cd6
Opcode Fuzzy Hash: ee54e4bca0dcf40e7b4f62a5daaed8ec31b61dcc94c29a78202a248f0953fa33
Instruction Fuzzy Hash: 628138715083408BD725CF28C4517EBBBE1EFDA324F195A1CE5DA8B292E7388905C796

Function 007A4270 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 007A42EB
IEND, xrefs: 007A4661

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 84468229084fb814bf9cd374c4b09891465bb69923702c186f05da49ad323869
Instruction ID: 54e9b92f1af78205d4a42dfa8057055cbca154cf95a9d6f02bca161b8b55251d
Opcode Fuzzy Hash: 84468229084fb814bf9cd374c4b09891465bb69923702c186f05da49ad323869
Instruction Fuzzy Hash: 2AD1B171908344DFD710CF18DC45B5ABBE4ABD6304F148A2DF9999B382D3B9E909CB92

Function 007C9739 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

(. 7, xrefs: 007C977E
,7, xrefs: 007C9786

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: (. 7$,7
API String ID: 0-1315767106
Opcode ID: 2b3451508d84fc8d2ef3017f8d2b7acdc18e3d824b3615407a768a59a1b8c34d
Instruction ID: 2205b3dd076c5b24ba8d7ac0b25062044d8a6654a5f01a798bbbca2a70a6f2f3
Opcode Fuzzy Hash: 2b3451508d84fc8d2ef3017f8d2b7acdc18e3d824b3615407a768a59a1b8c34d
Instruction Fuzzy Hash: 98A1CFB150C341DFC714DF25C895A2BBBE2AFC6310F54892CF5968B292E738E941CB56

Function 007AD4F3 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

Fm, xrefs: 007AD6DD
V], xrefs: 007AD6E4

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: Fm$V]
API String ID: 0-2730126902
Opcode ID: d02dbf6d1230a8b1f00f22446e88630988e35fb10560cf633640ac19fede0f8e
Instruction ID: d2bad08f08e6ea11b9f9f9296010f1e0d54abd5221c3fb7357f0e4ee8f245871
Opcode Fuzzy Hash: d02dbf6d1230a8b1f00f22446e88630988e35fb10560cf633640ac19fede0f8e
Instruction Fuzzy Hash: 7291BEB62557808FD325CF29C480656BFA2EFD7318729869CC0964F766C33AA807CB90

Function 007AD83C Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

V], xrefs: 007ADA25
Fm, xrefs: 007ADA1E

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: Fm$V]
API String ID: 0-2730126902
Opcode ID: 4114cb7bc16b8b83b185a22fb1d3307fab197a8f187c5a64ec090ba4c5e22acd
Instruction ID: c0b41e7c751f25528cd9e2c740013305d436edfc71bcead90e3bcbd7624ea01f
Opcode Fuzzy Hash: 4114cb7bc16b8b83b185a22fb1d3307fab197a8f187c5a64ec090ba4c5e22acd
Instruction Fuzzy Hash: 2781DFB61497808FD7268F29C4D0652BFA2EF97310719869CD8D64F76AC339E806CB91

Function 00958EDF Relevance: 2.3, Strings: 1, Instructions: 1019COMMON

Download Yara Rule

Strings

{3, xrefs: 00959A94

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: {3
API String ID: 0-2249376176
Opcode ID: 62d5715cf9f8c1aed64ec5ac0dc68ddc65e5029f066c8291aae9c6060d4ee62d
Instruction ID: 4f60ded29bc2d9d75fb65acc9aa47ee151b522a701f951b17c84753ec61d42b7
Opcode Fuzzy Hash: 62d5715cf9f8c1aed64ec5ac0dc68ddc65e5029f066c8291aae9c6060d4ee62d
Instruction Fuzzy Hash: 0762D5F360C6049FE304AE2DEC8566AFBE5EF94320F16893DEAC4C3744E63598058697

Function 007BB8F6 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

EWC`, xrefs: 007BBD43

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: EWC`
API String ID: 0-1922773688
Opcode ID: 920544a416803ae9661b8c22a95ed9399234bbfe46193c30f6716124b608d537
Instruction ID: 35ee0263958837fcdccc0f56391e221e7b44b79eedeb68c77965c8bc27261132
Opcode Fuzzy Hash: 920544a416803ae9661b8c22a95ed9399234bbfe46193c30f6716124b608d537
Instruction Fuzzy Hash: 58D10E706057018BC3358F28C4A27A3BBF2EFA6304F18952CD9D38B692E779E806C750

Function 007CD17D Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(1A11171A), ref: 007CD2A4

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d8c10ae7026454098b7428864e92f2d8fc811469af358a7bf0a97eecb560caca
Instruction ID: cd6ff38cb3041cde107534ed2aaa2eb5d1c0b5dadcdee6253c664c6a776d4d3d
Opcode Fuzzy Hash: d8c10ae7026454098b7428864e92f2d8fc811469af358a7bf0a97eecb560caca
Instruction Fuzzy Hash: 0B41A2745043829BE3258F34C9A0B62BBA1FF57314F28869CE59A4B393D629E8468B51

Function 007CD34A Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

><+, xrefs: 007CD353

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ><+
API String ID: 0-2918635699
Opcode ID: e2c4510b1736e8e2297aaef4829a7fd743ca96208e0ef98af48c49bc2ce59efe
Instruction ID: fe42d1fd0bb0b63f8cc6d0c6767a9cf00fee4828608693be3559da2d9adc0605
Opcode Fuzzy Hash: e2c4510b1736e8e2297aaef4829a7fd743ca96208e0ef98af48c49bc2ce59efe
Instruction Fuzzy Hash: 7AC1C3756047818FD725CF2AC490762FBE2BF9A310B28C5ADC4DA9B752C739E806CB50

Function 007CB170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 007CB458

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 2a481a20cd818ae86bd77ddd76c28e78242e6649cf267746c47876947a36422a
Instruction ID: 21c1ea58c1b45bfc09dcac53b5b9a39e4a4c4abf7408055db68b776986764daf
Opcode Fuzzy Hash: 2a481a20cd818ae86bd77ddd76c28e78242e6649cf267746c47876947a36422a
Instruction Fuzzy Hash: 5FC1F7B2A083449FD7258E24D496F6BB7D9AF85310F18892DF89587382E73CED448792

Function 007F87A1 Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

NTDL, xrefs: 007F8C06

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: d724316d6810c4305c8759d39f3dd37ca7d2faded6f90d50b49fbb77159ae292
Instruction ID: efa676bb0e53760f99d91c54e16c5258831fa03fc19ba2d3668515323b4b9d0c
Opcode Fuzzy Hash: d724316d6810c4305c8759d39f3dd37ca7d2faded6f90d50b49fbb77159ae292
Instruction Fuzzy Hash: 7BC107B250820E8FDB46CF24C5401FF7BA1EF57330B24816AD94297B02DA6A5D15EB6B

Function 007C9E80 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 007C9F6C

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: cf8ff33c20f9d50ae6d179d75dad62f969294fd89eff630dd8ac9241e1eb70dd
Instruction ID: 300c68d5a13d3d168b8949d9e31520d546043b6e80c95de4c5b93e006172fbfa
Opcode Fuzzy Hash: cf8ff33c20f9d50ae6d179d75dad62f969294fd89eff630dd8ac9241e1eb70dd
Instruction Fuzzy Hash: D241A1B054D344CFD3149F20AC8566BBBB4EBC6718F10896CE5929B291D339D507CB96

Function 007B6F52 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

t, xrefs: 007B70C9

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: bba0cd4b8ca41eaf4a33dedeccf59607e05870cd73c6ef83265fa3ed18cfc691
Instruction ID: 0d2938e5945af8ac41cd7fac2b22372bcca41adbc0f9f705286f829ea0e19c47
Opcode Fuzzy Hash: bba0cd4b8ca41eaf4a33dedeccf59607e05870cd73c6ef83265fa3ed18cfc691
Instruction Fuzzy Hash: D0B166B05093818BD3398F2589A53EBBBE1FFDA304F14892CD4C98B391EB395506CB56

Function 007D38D0 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

0, xrefs: 007D3926

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3ddb976b5eab88c4c833ed603151b9f44c9c8712ca6b65ddf89eaba7037c56f9
Instruction ID: 18c622f79455429897029583b26cced62a454af0e882efa6ee2020fc8b8f591f
Opcode Fuzzy Hash: 3ddb976b5eab88c4c833ed603151b9f44c9c8712ca6b65ddf89eaba7037c56f9
Instruction Fuzzy Hash: 91912433B5A99007C3289D3C4C5626AB9934BD6330B3EC37AAAF59F3E5D96D4E014381

Function 007BDF50 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 007BE01B

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 5dee5ffbd1485f51756c7a4a8b7c7d7c278154566fc28e1f940337ab805d87e1
Instruction ID: 8c03fabff037f711ade94b0c4da67c5b30ee98e1f12dd44b9331462bce30d389
Opcode Fuzzy Hash: 5dee5ffbd1485f51756c7a4a8b7c7d7c278154566fc28e1f940337ab805d87e1
Instruction Fuzzy Hash: 29814C729042654FC7218E28C8503DEBBD1AB85324F29C67DECBA9B392D2399C45D7D1

Function 007C6910 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

Z1\3, xrefs: 007C6C1A, 007C6C29

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: Z1\3
API String ID: 0-159632435
Opcode ID: d4d6ec3f760f3a31e7ecba1035f325aa458cf538bbfa09db5630b80a7cf354d9
Instruction ID: 0fc491a796449e9379383e9dfb16a73e9cde8dc5ee2f7e8b1f22e694133a6430
Opcode Fuzzy Hash: d4d6ec3f760f3a31e7ecba1035f325aa458cf538bbfa09db5630b80a7cf354d9
Instruction Fuzzy Hash: AC8113B25093518BD314DF25C89176BBBE2EFD5314F188A2DE4C68B385EB789905C782

Function 007A5DC0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 007A5EF6

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 032979fbd8883524b2f5b732a4a7eb679e248c0839feb764d429df90902c2ded
Instruction ID: cd85047e9afc846833616ef8b8d6bde6e8025905b28e79cfd862218c00777eb1
Opcode Fuzzy Hash: 032979fbd8883524b2f5b732a4a7eb679e248c0839feb764d429df90902c2ded
Instruction Fuzzy Hash: 78B1397110D7819FD325CF18C88061BFBE0AFAA704F484A2DE5D997742D635EA18CBA7

Function 007C7440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007C7465

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: a289b9598648705665421af139e562566fe66f5964cc7358ce0b0417f25fb993
Instruction ID: 65d509085370d61249b60c56c507f3f09883ade2e860e289660a1740f75f27a1
Opcode Fuzzy Hash: a289b9598648705665421af139e562566fe66f5964cc7358ce0b0417f25fb993
Instruction Fuzzy Hash: 4B7129B1A083405BD71C9A28DCD2F3B77A1DF86318F18853CE4869B292EA7CDD05CB56

Function 007AC840 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

NO, xrefs: 007AC9EC

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: NO
API String ID: 0-3376426101
Opcode ID: 6e8e26c55343320aa68d1d2d249b59636eccc3dd6977b7643dc9590f6516c77c
Instruction ID: 2d54819d2094b6702804a7e6982a7579ebbc88f7432d9587a6148d1d75fe0c44
Opcode Fuzzy Hash: 6e8e26c55343320aa68d1d2d249b59636eccc3dd6977b7643dc9590f6516c77c
Instruction Fuzzy Hash: 2761FF7561C3019ED319CF65C89266BB7F2EFDA314F08CA2CE0D59B684E63C8905CB5A

Function 007CC53C Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

x|*H, xrefs: 007CCE93

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: 988e7a0e70a644122a842b0f5661470c6570a9b089b438ea3c5d9e132c87529b
Instruction ID: eda52c5f8716097d3982a7aceae1d11e67d4443f5d1dd39cfc82cdf8ee102645
Opcode Fuzzy Hash: 988e7a0e70a644122a842b0f5661470c6570a9b089b438ea3c5d9e132c87529b
Instruction Fuzzy Hash: 8D71E4706047818FD72ACF39C4A0B22BBE2AF57305F28C4ADD5DB8B796D63998069750

Function 007DCA40 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007DCC20

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: 5f188500b2eaa2d735e03e48fb357c4bb4e5693da8087a5c4c906b543049e21f
Instruction ID: a5de81e4047e3326c422c82df12b582e56a18814c0beffce54c84c1e55f372b4
Opcode Fuzzy Hash: 5f188500b2eaa2d735e03e48fb357c4bb4e5693da8087a5c4c906b543049e21f
Instruction Fuzzy Hash: EE714671B143025FDB199E2CCCD162EBBA2EB8A710F19C63ED49A9B395D6389C01C791

Function 007CCD5E Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

x|*H, xrefs: 007CCE93

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: 374ba8526b9c05d1f551f72c06bd281c2f4d4d8a496d5a5dc6191ac2efd3854e
Instruction ID: ef144a3ec4c7c8d9c934bdd70493454f359609ee9f233beeabc7ffa3077e589a
Opcode Fuzzy Hash: 374ba8526b9c05d1f551f72c06bd281c2f4d4d8a496d5a5dc6191ac2efd3854e
Instruction Fuzzy Hash: D96107706047818FE72A8F39C4A0B62BFD2AF57305F28C4ADD5DB8B796D63998068750

Function 007AD021 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007AD455

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 46ce151d664fce37117afefd0df0ec75945d0549d0d06c9009b7e1f681ff417d
Instruction ID: de6b63919b354232721dd8216de0f2528bf874ac377211bbf112648c0d92c1ad
Opcode Fuzzy Hash: 46ce151d664fce37117afefd0df0ec75945d0549d0d06c9009b7e1f681ff417d
Instruction Fuzzy Hash: 945105703022409FCB34CF14D8D06367BE2EB9B718719C92CD5978BA62C279BC46CB55

Function 007D9A80 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007D9AE0, 007D9B6B

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 08f6668914ed48cbb75cd5d240902ce045dd3282e6328ff21dbc755408622d9e
Instruction ID: 7c3cc98d881f8a032f96f3d964988dce3601492ae94c005ab4f83abae24a8a4d
Opcode Fuzzy Hash: 08f6668914ed48cbb75cd5d240902ce045dd3282e6328ff21dbc755408622d9e
Instruction Fuzzy Hash: BF516C76608201EBD314DF24DC85B2BB7A6EBC9304F15C52DF68A87391D779E841C792

Function 007CC0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

N&, xrefs: 007CC173

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 367cbbbafe756df8012372143b4a5a906b7ac98912880439e98e277f29ec61e1
Instruction ID: 5983e7471df3e4082de45bd3a7098e26c9c28a858f9bfc568e04fd03e8125c8b
Opcode Fuzzy Hash: 367cbbbafe756df8012372143b4a5a906b7ac98912880439e98e277f29ec61e1
Instruction Fuzzy Hash: 41510961614B804BD72ACB3A88517B7BBD3AFDB314B5C969DC4DBC7686CA3CE4068710

Function 007CCD4C Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

x|*H, xrefs: 007CCE93

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: 4b92e574350e64cb22ea7fe9a2f24d6af5ccf5d78c12f2aa2b53ac40c2602c1b
Instruction ID: 9c03e07a6360d65ef2cee8c137ff6812ccb066b04b5af4305cdf3576918691b2
Opcode Fuzzy Hash: 4b92e574350e64cb22ea7fe9a2f24d6af5ccf5d78c12f2aa2b53ac40c2602c1b
Instruction Fuzzy Hash: 8A51E5B16047818FD71A8F39C4A0B72BBD2AFA7305F1CC09DD5DB8B396D63998069760

Function 007CC09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

N&, xrefs: 007CC173

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 4f68261ec31648c193fbf2da8802d57fad16303fc31ea244bc64ecd733eedcbb
Instruction ID: 453870e865429185796a191dabecdccbab13d4e4adb775bebc1d59aa51cc7cc9
Opcode Fuzzy Hash: 4f68261ec31648c193fbf2da8802d57fad16303fc31ea244bc64ecd733eedcbb
Instruction Fuzzy Hash: 1451F965614B804BD72ACB3A88507737BD3AB9B310F5C969DC4DBDBA86CA3C94028711

Function 007AF3C0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

,, xrefs: 007AF3E0

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 16d32a63796f62f6e37efba573b1965645e0a0d2578f0a1a4c128f9424f7fa58
Instruction ID: c45b01149fda5a65e7a68937cc71b626d87e77b6bfbf275fc793d5ab25cda670
Opcode Fuzzy Hash: 16d32a63796f62f6e37efba573b1965645e0a0d2578f0a1a4c128f9424f7fa58
Instruction Fuzzy Hash: 0A61E63261C7908BC7209A7888553DFBBD1ABDA324F294B7DD9E5D73D2E6388901C742

Function 00845AC3 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

!SN, xrefs: 00845C04

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: !SN
API String ID: 0-226035710
Opcode ID: ba2e21f7330646f216b879458cc58f2da4466fcd044b6b554ef356deacf36d18
Instruction ID: a2205f440293ba049177561015e417a9e26f700d20a6204048756311e46ee338
Opcode Fuzzy Hash: ba2e21f7330646f216b879458cc58f2da4466fcd044b6b554ef356deacf36d18
Instruction Fuzzy Hash: 805105F3A082109BF3046929EC957AAB7D9EB98320F16423DEB98D33C1E9745C044696

Function 007E1160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

@, xrefs: 007E123B

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d368da919512497dad6424659c74c0fadbf04576c7a721cd314b75c7ee8c9d6b
Instruction ID: 0e3806cdc06b022e8b167e83644d9ad7cfa38590f96010337b2fa3359e3a1ae1
Opcode Fuzzy Hash: d368da919512497dad6424659c74c0fadbf04576c7a721cd314b75c7ee8c9d6b
Instruction Fuzzy Hash: 8A4123B1A053509BD728CF14CC56B7BBBA1FFD9354F488A1CE6855B3A0E3799904C782

Function 007CC465 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

AB@|, xrefs: 007CD9F4

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: AB@|
API String ID: 0-3627600888
Opcode ID: e4cc8aaa9d88b9b5a9f6909ec2ad7518ff0bdb0e6f10876f284e79967a5ffb7a
Instruction ID: e02295c9a6c1ba7f3ffcb26700620f953fcecfa51e36aca932bebc5257932d4b
Opcode Fuzzy Hash: e4cc8aaa9d88b9b5a9f6909ec2ad7518ff0bdb0e6f10876f284e79967a5ffb7a
Instruction Fuzzy Hash: 354103751046928FD7228F39C850B76BBE2FF97310B1896ACC0D69B796D738E845CB50

Function 00969403 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

~tn, xrefs: 0096941C

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ~tn
API String ID: 0-1134583358
Opcode ID: 06846c29da8e118c6b8c0e0257c5b0011d626c2bf0202810dcde177c296056fc
Instruction ID: 8ea73107fa822c651f79c6e87e1e0d00603071a06b42d6b892d459563ee02cf2
Opcode Fuzzy Hash: 06846c29da8e118c6b8c0e0257c5b0011d626c2bf0202810dcde177c296056fc
Instruction Fuzzy Hash: 4041ABB250C615DBD304AA68ED86A7A7BCDE790310F648E2DED87CA754F93C5402A283

Function 007DC830 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0$z, xrefs: 007DC915

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: 0$z
API String ID: 0-542936926
Opcode ID: 32fe62963702c8da053a60053f2de4688f146e2832c2bf558279de004d9bbc55
Instruction ID: 33b6111b85ca6af599c645930e256008a6db2fa630af5371a33416176826577c
Opcode Fuzzy Hash: 32fe62963702c8da053a60053f2de4688f146e2832c2bf558279de004d9bbc55
Instruction Fuzzy Hash: B43122B2A193128BD311DE24C89071BBBE2EB95714F09C92DE484AB342D37AAC01C7D6

Function 007C8528 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007C8545

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 745636da935aebcf351706900aee3b494a0db4ea7daa8433c5099af44af70bd8
Instruction ID: 9a989874fc519203a82c468535fd7ba86840b1d390a14d555d288aced5dadba3
Opcode Fuzzy Hash: 745636da935aebcf351706900aee3b494a0db4ea7daa8433c5099af44af70bd8
Instruction Fuzzy Hash: 45210A746092409BDBAC8B34C8D1F3BB3A3EB95314F38552CD653567A1DA3D9C128A4B

Function 007C1A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

,-, xrefs: 007C1A64

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ,-
API String ID: 0-1027024164
Opcode ID: 35385c658aca3f48ce731429e7ac0bfc69ab87e3fd9c62968d19fd5b1f544383
Instruction ID: eda57432fd52bf6f480ff3e421ce5997657c91d2b90720f5e9eb60a18a3820e1
Opcode Fuzzy Hash: 35385c658aca3f48ce731429e7ac0bfc69ab87e3fd9c62968d19fd5b1f544383
Instruction Fuzzy Hash: 9421F4A19163008BC7149F29C852A2BB7B1EF87361B85862CE4868B352F738C905C7A2

Function 007E0340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@, xrefs: 007E03AD

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: f36357feb783bc40974bed1f866a737a35fbf5561bd5cbef3354c4400bd39fb7
Instruction ID: 9741f4a1f31cdb6a4d141584d4577880f4387c52e9e903e7dbd34cb1ce68b235
Opcode Fuzzy Hash: f36357feb783bc40974bed1f866a737a35fbf5561bd5cbef3354c4400bd39fb7
Instruction Fuzzy Hash: 3B3103715093849BC314DF58D8C166FBBF4EBCA314F14892CEA9887290D3799888CB96

Function 007CDE07 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

ses`, xrefs: 007CDE34

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: e3f6b42e3a438398443637de8c92ac4faecbf08e5ea4a276fa9d0795d306f6e8
Instruction ID: 76fa1e115ab70d583168696879870b510a7de0cd4c24b42061acde633fcae8ab
Opcode Fuzzy Hash: e3f6b42e3a438398443637de8c92ac4faecbf08e5ea4a276fa9d0795d306f6e8
Instruction Fuzzy Hash: 2C1108601046828BEB668F359C54732BFF1EF33354B1892ECD0D6DF292D628C842CB25

Function 007CDDFF Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

ses`, xrefs: 007CDE34

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: 14048ad95322f2e74cefd906339c8d097ec5c0a579bc1a5ef85861ece782dc28
Instruction ID: 05992a555b588730ed28b90e131f74e11395f05cc84995d9307d58493b4b863e
Opcode Fuzzy Hash: 14048ad95322f2e74cefd906339c8d097ec5c0a579bc1a5ef85861ece782dc28
Instruction Fuzzy Hash: FE012BA05046838BE7628F359C55B22BBB1EF33310B18D2ACD095DF292D728C842CB14

Function 007C89E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

_^]\, xrefs: 007C8A15

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: cc276695b5b9c32e62889f51531edf7507d67a34b9affdee2699c374b49d99ab
Instruction ID: 12ea733f18313f1efa6f02687f29db2e7c562b95405ed43e10bd53f1c149dd14
Opcode Fuzzy Hash: cc276695b5b9c32e62889f51531edf7507d67a34b9affdee2699c374b49d99ab
Instruction Fuzzy Hash: 6801D6B0A0975187D758CB14C490A3FB7E2BBCA314F199B2DD49213755C738E84287DB

Function 007CE180 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0ec4820b91ded29832917edd91aa07f06b49e72acfdea5414b15d850e6cda6
Instruction ID: 62f1301bedc6d83c762835de82e239e82a27682b5ec61d92bee9557179c1e2ce
Opcode Fuzzy Hash: 6b0ec4820b91ded29832917edd91aa07f06b49e72acfdea5414b15d850e6cda6
Instruction Fuzzy Hash: B862A4F1512B819FD3A1CF2AC881793BBE9AB8D310F14892ED5ADD7311CB7465018F96

Function 007A65F0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa47493edf45d0b3c299e67e3b48ffae7654ecf31beabe08c10c0c2b7019ebb9
Instruction ID: be78729374c8caeed4dc44111b4e76e3d9b7e04b1a6053509af42b8f404e3a69
Opcode Fuzzy Hash: fa47493edf45d0b3c299e67e3b48ffae7654ecf31beabe08c10c0c2b7019ebb9
Instruction Fuzzy Hash: 3052B3B0908B848FEB35CF24C4843A7BBE1EBD2314F188A2DD5E706686D37DA985D711

Function 007A2EB0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1397cc2a027bfc2c13fbc128dcf78513ae5c962918537185995f2492e8e4e7ad
Instruction ID: 27a72c7874f0a87a27b55b87df0a44efff28106b17d9f8b0d780891bf65b7bc2
Opcode Fuzzy Hash: 1397cc2a027bfc2c13fbc128dcf78513ae5c962918537185995f2492e8e4e7ad
Instruction Fuzzy Hash: F052B1716083458FCB15CF28C0906AABBE1BFCA314F19876DF89A5B342D779D949CB81

Function 007A73D0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction ID: a93fd0d7651b07f94e78152db25f34f5d4b176c5778b43a18dea0ae246fe6a73
Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction Fuzzy Hash: 1B22C472A0C7118BD729DF18DC806ABB3E1FFC5315F198A2DD9C697285D738A811CB92

Function 007DFA20 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d0c7b618cde7c6821a156dd7505ee50775b807a52e733613390da1655e9faa
Instruction ID: 4fd9965c275dd13d0f56e190db1cc6a7aaad432fe5050094dfe155c28817949e
Opcode Fuzzy Hash: e8d0c7b618cde7c6821a156dd7505ee50775b807a52e733613390da1655e9faa
Instruction Fuzzy Hash: A1122436A15255DFCB08CF78D8E02AAB7B2FB8D310F1A857DC9469B351D738A841CB81

Function 007A38C0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a150ae15e71a2ae379a285c8993053784c0f99429fc4ed47a5e2463d08ccdc20
Instruction ID: fab3efc84ac07c77e9cc06f71dc11c838e8945f9f75456f07db4cf150c4cc476
Opcode Fuzzy Hash: a150ae15e71a2ae379a285c8993053784c0f99429fc4ed47a5e2463d08ccdc20
Instruction Fuzzy Hash: 3F321570915B118FC368CF29C590526BBF1BF86710B604A2EE69787F91D73AF945CB10

Function 007DFB10 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926307ce9fb9554cde5d877becd4fceeeddd44be931fee12b729ba61c82be396
Instruction ID: e93787b034c95e0e9f7db55c3963839d7f2adba5437a3e13b9987245800adcd4
Opcode Fuzzy Hash: 926307ce9fb9554cde5d877becd4fceeeddd44be931fee12b729ba61c82be396
Instruction Fuzzy Hash: 2A02F335B15251DFCB08CF78D8E02AAB7B2FB89310F1A857DC9469B351D739A841CB81

Function 007BD8AC Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b8a0b387e52d80568a6862409b323f79a6f8e5682c70f3f9e9d957a15ff59b
Instruction ID: 5b083e692f6f0da8c1e499848d34d225c552d4334a82df2d5db538b2cb668427
Opcode Fuzzy Hash: 79b8a0b387e52d80568a6862409b323f79a6f8e5682c70f3f9e9d957a15ff59b
Instruction Fuzzy Hash: CFE1E6B1A00255CFCB24CF69C8517BABBB1FF5A310F18866DE495AB351E338AD11CB94

Function 007BD8D8 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b256d48a06400d45c726669c19b736e2799a282449e055c1e760a7e62638ac
Instruction ID: 766d8d911f01cfcc54babc3f0377486d3719f2937a6f21edb81d86cf960fdb03
Opcode Fuzzy Hash: d7b256d48a06400d45c726669c19b736e2799a282449e055c1e760a7e62638ac
Instruction Fuzzy Hash: 44E1F6B1A00215CFCB24CF69C8517BABBB1FF5A310F14865DE495AB351E338AD11CB94

Function 007DA5D4 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23737def6d1abf43d292137e530f4a1af1334fef1b2b7980803d058b1dbfbb10
Instruction ID: 956ffe71584144cf1e998cbb5779328f925f70cc3b2d49ac1b389ee084f5f7e9
Opcode Fuzzy Hash: 23737def6d1abf43d292137e530f4a1af1334fef1b2b7980803d058b1dbfbb10
Instruction Fuzzy Hash: 9ED13436129256CBCB148F38E892266B3F1FF48711F4AC97DC9818B2A0E33DC960C755

Function 007DFE00 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0309afee9e06b042be309fd34eb9f8692cb60daaa24c697fdfc791b8d70a631
Instruction ID: abc3c5445a53ba1ffbb0b81e0acc159001707c3c6850f45d8f68852a82c79c82
Opcode Fuzzy Hash: c0309afee9e06b042be309fd34eb9f8692cb60daaa24c697fdfc791b8d70a631
Instruction Fuzzy Hash: 82D1EE36B052559FCB18CF78D8A02AEB7F2FB8D310F19853DD946A7381D639A841CB80

Function 007A5900 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction ID: ea8dfa5add55452b035bb18813b15aa17ebeba8513b8c651556db76b10c046b5
Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction Fuzzy Hash: 6CE17971208741DFD724DF29C880A6BBBE1EF99300F44892DF5D587752E279E948CBA2

Function 007DFD70 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0f8d32a72d9e050eedb4a9e36b7ad6c788303de2ddfe2063df51dbc1036732
Instruction ID: c613884f91813885dbd0bc26aa6a979c3fe97183aa6ea0d2a4685ca7ad9cd0af
Opcode Fuzzy Hash: 1d0f8d32a72d9e050eedb4a9e36b7ad6c788303de2ddfe2063df51dbc1036732
Instruction Fuzzy Hash: 7DB1ED35A05255DFCB08CF68D8D02AAB7B2FF8E320F19857DD946AB351C739A841CB81

Function 007BE220 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b4c395a18034936c768d9459e8c1432d47f9110f728eea839ea54954897bad
Instruction ID: 13d537c7d644a4c5c5f567f1f254bfa617b15c6e09010d24eb12943cd907bdfc
Opcode Fuzzy Hash: 19b4c395a18034936c768d9459e8c1432d47f9110f728eea839ea54954897bad
Instruction Fuzzy Hash: 01B1D875904301EFD7219F24CC45B9ABBE2FFD8314F148A2DF594A73A1D73A99148B82

Function 007E09E0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 536a8b4aa46f7a341dc78eca90d6d0be701e8e03810ab74ffb9a7866b5ff2bbb
Instruction ID: 9144cd4c9f2616aa8755c15c8cfc63625ea238192e8307fa329e562071e1aa51
Opcode Fuzzy Hash: 536a8b4aa46f7a341dc78eca90d6d0be701e8e03810ab74ffb9a7866b5ff2bbb
Instruction Fuzzy Hash: 289105756093519FC724DF19C89066BB3E2FB88710F18C52CE9954B3A5E778AC90CBD2

Function 007E06F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb819607650cc634f78e1f02e994bd66411c827059799d24934e3144600f620c
Instruction ID: ac53e9513d53c21ab971ef350ea6d251a435ca2366de88d41418e2d3b318f12d
Opcode Fuzzy Hash: eb819607650cc634f78e1f02e994bd66411c827059799d24934e3144600f620c
Instruction Fuzzy Hash: 618115356062418BD7149F19D89062A77A2EFD9710F19852CE8C49B396EB78EC81CBC2

Function 007CEE63 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78443f384f71c604090b6aaf6ebfafd74307e619da0285711a3be4ad3f00284
Instruction ID: ee9737f3ac1e4fc0eb08902358e370b33d2b7fcac38fda2d03222be0c42b0b4a
Opcode Fuzzy Hash: b78443f384f71c604090b6aaf6ebfafd74307e619da0285711a3be4ad3f00284
Instruction Fuzzy Hash: 02C11762609B808BD3258B38D8953E7BFD26BE5324F1CCA7DC4FB87386D578A4058712

Function 007A6160 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction ID: 7dd612d95c809e5464f93a2a7b2449d4f7dd4792bbdc03e17e2579a6092d5147
Opcode Fuzzy Hash: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction Fuzzy Hash: 02C15DB29487418FC370CF68DC96BABB7E1BF85318F084A2DD1D9C6242E778A155CB46

Function 007D1CF0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675441db9beae1b3fd6027f5af936c5593eeda786d18e0285ca14ac470aeaa87
Instruction ID: 1479a560ae69c3b332a6425ba6e4d815a6e7778483361a1073d4267515dec128
Opcode Fuzzy Hash: 675441db9beae1b3fd6027f5af936c5593eeda786d18e0285ca14ac470aeaa87
Instruction Fuzzy Hash: B5914E33B5AAE047D328897D4C552A6B9930BD6330F6EC77E99F58B3E5D96D4C028380

Function 007F8778 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47212d2c69cfa7c202bbf81af57429871e863244c43be37f432f9a152e8bb3e0
Instruction ID: 3cea3d8b28ab6c9b2f87be47309bbf7e99f5812565182b8b1251ef84b0ea6c9d
Opcode Fuzzy Hash: 47212d2c69cfa7c202bbf81af57429871e863244c43be37f432f9a152e8bb3e0
Instruction Fuzzy Hash: CF917DB3F102254BF3484C38CD983A6768397D4324F2F427C8E89AB7C6D97E6D0A5284

Function 007CFE74 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae105a0589e9803a4f3f4266522b8bfd4df37dfe1da7a72a032c291a4e2412a6
Instruction ID: b45de5637394fda36f3f8f6238464ef5d1a0d7f08595264ef7e4683d94998449
Opcode Fuzzy Hash: ae105a0589e9803a4f3f4266522b8bfd4df37dfe1da7a72a032c291a4e2412a6
Instruction Fuzzy Hash: E0B1E86260AF808BE3158B38C855797BFE26B96314F1CC97DC4EE87386D5786409C712

Function 007C04C6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f7fababf904007dcff2eaf7c425e45d6a9557b00b629950081f529d2400e59
Instruction ID: ecb29dd8c9d7d91a25861f9fa6799ca39ca195549cf7aa19e7ad28ac2f43ad5a
Opcode Fuzzy Hash: 00f7fababf904007dcff2eaf7c425e45d6a9557b00b629950081f529d2400e59
Instruction Fuzzy Hash: 61B16132618FC18AD325CA3D8855397BED25B97334F1C8B9DA1FA8B3E2D674A102C715

Function 0092676A Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac7a912185790b8d9701423bd46168825258e68e57e69e0084429eaa8ad180d
Instruction ID: 6d9cb51ccde1dfc5321b7ec0ce681f52d12d12a8f3da07c3fbc204bd2d2527fa
Opcode Fuzzy Hash: 1ac7a912185790b8d9701423bd46168825258e68e57e69e0084429eaa8ad180d
Instruction Fuzzy Hash: A8712AF3A086149FE700AE69EC80726B7D9DBD4720F2A853DE6D4D7384F5359C058296

Function 007E0460 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3de5f8e45118aa3954a3eb98d375793cc87e1c1ba4433b6dac8b81027248534
Instruction ID: ec083d084299c8d7321b7c1e166c694ef9c58b6b89b8531518b653d84c8a92c9
Opcode Fuzzy Hash: e3de5f8e45118aa3954a3eb98d375793cc87e1c1ba4433b6dac8b81027248534
Instruction Fuzzy Hash: 576149356053819BD7159F19C890A3FB7A2EBC9710F19C52CE9858B291EB78DCA1C7C2

Function 008128FA Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa3dcdd60414d7db639868cae53f89a0aa8cb360080c93546ac7af03f1b4e62
Instruction ID: 01c49d8ebcf73d354e82a530405f06dfa7f1eb7f2ec5afefd345be1b11c4934b
Opcode Fuzzy Hash: 4fa3dcdd60414d7db639868cae53f89a0aa8cb360080c93546ac7af03f1b4e62
Instruction Fuzzy Hash: FE81C0B3F5022547F3144939CDA83A27A83DBD5320F2F827C8E995B7CAD87E1D4A5284

Function 007DC5A0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4720d769dd6951304c62a5bf3e145ce522ea65ad1d6452d82cd229528ac5955
Instruction ID: e9647a3015827630ea55d52f7c5195c82f0748853bb615f1c13ff1b200617374
Opcode Fuzzy Hash: f4720d769dd6951304c62a5bf3e145ce522ea65ad1d6452d82cd229528ac5955
Instruction Fuzzy Hash: B8516E75A083064BD729AF24C88062FB7E2ABD5320F1DC97ED5C59B391E6359C01CB85

Function 007BE630 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebd452bbf932c8d7b97d364d2a5a3baf80608c9d19aacd311c776784962b1ec
Instruction ID: ace06f1af4e6f690716f920cf4c2fde7f420bd5439df9b395ceee09c52415a64
Opcode Fuzzy Hash: aebd452bbf932c8d7b97d364d2a5a3baf80608c9d19aacd311c776784962b1ec
Instruction Fuzzy Hash: AF61F432A0AAD04BE328893C4C513E66E934BDA334F2DD76DE9F68B3E2D56D4C055341

Function 007C8ABC Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08a87926808d137e4d957522548f3a021cf34309ab38a250c2933087d1d8085
Instruction ID: 5e7ba0a5694173cfcd5e7140b444e1d24db378cf6925ed42b9f8fff82be5b6c9
Opcode Fuzzy Hash: a08a87926808d137e4d957522548f3a021cf34309ab38a250c2933087d1d8085
Instruction Fuzzy Hash: 3F5104B2A14B154BC718CE2DD89172AB3D2ABC8300F5DC63DD95A8B386EF34AC15C781

Function 007BAEB0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dff517c2dfe7451ab8c1baec32d54e6e04ac370dfa5596af2cff20cd8b706e
Instruction ID: 5f9ee09f718be1e5f87460f989d59c3f8930d679a371b19f829a1cd8300a21cf
Opcode Fuzzy Hash: 80dff517c2dfe7451ab8c1baec32d54e6e04ac370dfa5596af2cff20cd8b706e
Instruction Fuzzy Hash: 3E513B33659AC04FD328A97C5C903F67A834BD6330B3DC769EAF18B3E1D69989055341

Function 007D5A4F Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56889262be9634de279547c4a91eec010d3e8a3639446dffb02e86dae9c42a39
Instruction ID: 8ffeeb4ae9b465bf2bb406dbab665542bc916b6595ef8e092206b31986deb8a5
Opcode Fuzzy Hash: 56889262be9634de279547c4a91eec010d3e8a3639446dffb02e86dae9c42a39
Instruction Fuzzy Hash: 12817BB1A046558FDB08CF68C9957AEBBF1BF49300F1482ADE859EB391C7399D01CB91

Function 007BE960 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d5f65c5bf7d072049b9af79a499f2f94c7684f37844ea5a1b2ef27ba1fcfb5
Instruction ID: 4407e704ca5d0a10db11f3cd15e00306614a27db676291431d6bdf8bbf733903
Opcode Fuzzy Hash: 43d5f65c5bf7d072049b9af79a499f2f94c7684f37844ea5a1b2ef27ba1fcfb5
Instruction Fuzzy Hash: 7B51123374A9C04BD328893C5C613EAAA970BD6330B3DC76AE5B2CB3E5D96D8C058341

Function 007D8650 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45266db1437416af79d9adcadb7b94d59e0e3cef13ad0bacd323e30fe01f4a8
Instruction ID: 32fe297a78fa23024700e1405e147a427792eee89e77026835a79d27b84b104d
Opcode Fuzzy Hash: a45266db1437416af79d9adcadb7b94d59e0e3cef13ad0bacd323e30fe01f4a8
Instruction Fuzzy Hash: 41517CB19087548FE314DF69D89435BBBE1BBC4318F444A2EE4E987351E779DA088F82

Function 007D3C10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4095d7b7aa76201fef690cebab2101bcc51d48929413f9c23d8f636574c848bb
Instruction ID: 312eccde2267a9de282f181596d4afcfb739f31c9a2b7ac175288f6ed2df135b
Opcode Fuzzy Hash: 4095d7b7aa76201fef690cebab2101bcc51d48929413f9c23d8f636574c848bb
Instruction Fuzzy Hash: 07513C37659AD04BD3288D3D5C612A57AA30BD6330B3E836FB6B64B3E1C9694A015352

Function 007CF377 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204374083efd2b8af1c8f8961860cc37bd925e25e2e2af8e43204be8a08de8ff
Instruction ID: 830575ff642da3eab29cd1ac8b778d0f3601f80bcc3f15fee097ad53d85de5b4
Opcode Fuzzy Hash: 204374083efd2b8af1c8f8961860cc37bd925e25e2e2af8e43204be8a08de8ff
Instruction Fuzzy Hash: 25610C72744B418FC728CE3CC8957E6BBD29B85314F19863CD4BBCB385EA79A4058701

Function 007DF18B Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607b250069f06f2cf3a07c892daf783a59778c70dfd4a0fc7067efacbe43b9dc
Instruction ID: 8a043b2f4c43ef9d1a08911c6cca58b1e7437ec2fd7b5e3bd1e57fe301e8841e
Opcode Fuzzy Hash: 607b250069f06f2cf3a07c892daf783a59778c70dfd4a0fc7067efacbe43b9dc
Instruction Fuzzy Hash: 8F41D6327087554BD719CE39889127BFBE2ABDA300F1E883ED4C7D7356D528E9068781

Function 007CBF13 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f3300d45f07faa75f50c3fa760cf1093fc61c22d3b08d49ce0701d05dd884
Instruction ID: 78192ac80b09e98201bb22a91e6b89c9c6a8a464553267d5e16c77efa0bb7fce
Opcode Fuzzy Hash: 3b4f3300d45f07faa75f50c3fa760cf1093fc61c22d3b08d49ce0701d05dd884
Instruction Fuzzy Hash: 2341B5A4504790CFE7378B3998A1B73BBD0AF27305F18199CF0E75F686D62994058B16

Function 007BB57D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fca5fa5d7fbefa95a98cfc34fe19e0917f98a35c61a234df72c860600bdb6a
Instruction ID: 70c94d0718efb20e309c8529dc9ca9c16af526a6cd433e269692124b3fd381a9
Opcode Fuzzy Hash: f8fca5fa5d7fbefa95a98cfc34fe19e0917f98a35c61a234df72c860600bdb6a
Instruction Fuzzy Hash: 79313B605047D08FD73A8B3594A1BB37FE09F67308F58488DD5E39B293D62AE509C761

Function 0084D16B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb184f15396a72a0e1a229d855ad5742ec7ace438ad4d9424d79a51819fe541e
Instruction ID: 66a014036efd559f8d49042f1c2925340c1236e3b46631ec42af72fe242ac53c
Opcode Fuzzy Hash: eb184f15396a72a0e1a229d855ad5742ec7ace438ad4d9424d79a51819fe541e
Instruction Fuzzy Hash: 53417EF3A483185BD3402D3D9D8532BBBD9EF40660F2E093DDAD8D3741E9BA95058293

Function 007ACC7A Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 0d826a74b7a459a50be7c103c8dc10e9ced23738f6136ea52fb3c09f44af9a8d
Instruction ID: e6873b465cc398d898d00b4659de3999ef8b548feebf9192fd5b700919dea17c
Opcode Fuzzy Hash: 0d826a74b7a459a50be7c103c8dc10e9ced23738f6136ea52fb3c09f44af9a8d
Instruction Fuzzy Hash: E0313AEAF001449BE54576212CABF7F62674BD2718F08012CF5072A383ED6DF95686A7

Function 007DDA4D Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843671812b6aba38f9da57a9339f6637eabc7f80a4b77226145acfa5263b23b6
Instruction ID: b84d72175ef664386f9bda15868a4a6a5979e9c2d7e9d4ef3a81b623b9bc366b
Opcode Fuzzy Hash: 843671812b6aba38f9da57a9339f6637eabc7f80a4b77226145acfa5263b23b6
Instruction Fuzzy Hash: B84148B2A5D3019BE7089F65AC4662B7BE29BE5300F09C43DE185C3792E97C8906874A

Function 007C0E6C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383b0d3ceae920d9c55a330a3af93076c1d33f9245ba7eb70b30e10e27f23939
Instruction ID: e9b192a0247ce33099d22bf2b8fa08d6e89573384d925aa46b8ba1109d625a7f
Opcode Fuzzy Hash: 383b0d3ceae920d9c55a330a3af93076c1d33f9245ba7eb70b30e10e27f23939
Instruction Fuzzy Hash: 2F415A72615F408BD3288A3CCC91796BBD2AB89324F194B2DE1BAC73D1DA78E4418B45

Function 007D2070 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03000f99b3c3389d9005510419e3d025c9b208d21a6bb990084e71b14baa3c7b
Instruction ID: 430eca01a0abaa20e6e9d5c8c1baef4bd95c01f2e5da6563fa833bb98a643688
Opcode Fuzzy Hash: 03000f99b3c3389d9005510419e3d025c9b208d21a6bb990084e71b14baa3c7b
Instruction Fuzzy Hash: E7814DB550B3C48BD3B4DF16E99869BBBE0AB89304F10896DD48C5B360CBB85448CF97

Function 007DA440 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257f930fff8ac5571b740c804d3fe8f9527e358f99b749092fc537f7b3a7f2a5
Instruction ID: dfdcad871ccfe5565935ed4c257c4171344db7322b6e2faf54513ed49bdd7119
Opcode Fuzzy Hash: 257f930fff8ac5571b740c804d3fe8f9527e358f99b749092fc537f7b3a7f2a5
Instruction Fuzzy Hash: 9B310972A086045BC7199D3D5C9027BBAA3ABC5330F2DC73EEA778B3C5DA788C515242

Function 007FB598 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b600e8d41f19370fcdcae448b127499a6ac5b87f64ae9059089298a1e95030e
Instruction ID: 88a7ed84ea5e68f3ff23e21ce676eeb1eb75b50b98149d6a162aa4a6df039538
Opcode Fuzzy Hash: 8b600e8d41f19370fcdcae448b127499a6ac5b87f64ae9059089298a1e95030e
Instruction Fuzzy Hash: 7021CF7240820ECFDB19AE3CC5983BE77E0EF14325F51072EDE9282A90D7B95D54CA09

Function 007D6210 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 3c19b1493f675a077b23ff73472539cd8193b17d8492fcc946ae8613e5c4bc57
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2D11E933A451D40ED3168D3C8440565BFF31AD3734B19439AF4B89B3D6D6269D8A9354

Function 007CAAC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2251be66b5fccd5a1fe59483fef8f2f41489fc9a32a5a0d1f329cdb6fcd8db
Instruction ID: 4bd2977744c6963b144ff4bf1a85279aec1f257c027926d5973ea268cb31e25f
Opcode Fuzzy Hash: 8e2251be66b5fccd5a1fe59483fef8f2f41489fc9a32a5a0d1f329cdb6fcd8db
Instruction Fuzzy Hash: DA0171F1A00349A7E7209E5599C5F2BB3A96F91709F18852CE80657302DB7EED05C693

Function 007DC990 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12496238183af97c64870a1938ea45fd560eb9598aceb304923544cdc304986b
Instruction ID: 36e2e4262502dee403504c6da8755f890760bc05f407f9f7b0d7e2025a899328
Opcode Fuzzy Hash: 12496238183af97c64870a1938ea45fd560eb9598aceb304923544cdc304986b
Instruction Fuzzy Hash: 090126B1B012275BD722DE54DCC063FB766A7D6710F1DD07AD4806B305D6389C41D2A5

Function 007BC300 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction ID: d654c55a5fc6e6112e47924535dea967c9205b5656c7ef7fe1b1b30569655a1a
Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction Fuzzy Hash: 44F04F60104B918AD7328F3985243B3BFF09F23328F545A8CC5E35BAD2D37AE10A8795

Function 007DEDC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae8229e14e21e7f729768f7ce24cffd8d97ba7a213c9c96d7908018951fd06e
Instruction ID: f3cb17828abbaf2d7fd60be9ff9a3e6c96011ad9c1997dd22340d075ea628148
Opcode Fuzzy Hash: eae8229e14e21e7f729768f7ce24cffd8d97ba7a213c9c96d7908018951fd06e
Instruction Fuzzy Hash: 0501B174E402688BDB24CF65E8D02BEB7B2FF56705F185058E482FB380EB398805CB59

Function 007CC850 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86866cd4e38b3116793d134ca8673ca1f7398a55dd3582e6c7cac7c22d58b7
Instruction ID: 097223f3a89dc4eec70d1c692e45a8abd66ca6e252a01cb6dac774a385a76d0f
Opcode Fuzzy Hash: 9c86866cd4e38b3116793d134ca8673ca1f7398a55dd3582e6c7cac7c22d58b7
Instruction Fuzzy Hash: C2F090244096C38ADB068F298060B72FBE1AF67704F1D51DDD4C5AB393DB1ED856C714

Function 007CE0DA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction ID: cb35162da68a5f79934e0813172d5a9063c38e5b6404fcc2ee16af8af753c090
Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction Fuzzy Hash: F7F06C104087D28AD723473D4450BB2AFD09B53220B181BDDC4E1972C7C3199596D355

Function 007CD116 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d510b9f3373e4eee883906b1c7ca7cfdd91e4a3fec70dba2b5c25c68704006
Instruction ID: 383468374c53acc6d0eceb76d8764f9513b8488bfec0719e46d550199a7fd946
Opcode Fuzzy Hash: 67d510b9f3373e4eee883906b1c7ca7cfdd91e4a3fec70dba2b5c25c68704006
Instruction Fuzzy Hash: AB01F9716442829BD354CF38CDE0666FBA1FB86364B08C75CD4598B796C638D842C799

Function 007AC805 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120352156.00000000007A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2120336646.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120352156.00000000007E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120405492.00000000007F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.00000000007F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000970000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120424092.0000000000A8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120677650.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120785011.0000000000C24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120804562.0000000000C25000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_lJEIftsml0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a108a83b134337c5b23be026de96b1b2a1c41b31b14204d263785206b3842d
Instruction ID: d80ccd26594d6f53c029d58dc47ee633b2ff267a1ede173634cd4d71963c14c0
Opcode Fuzzy Hash: 11a108a83b134337c5b23be026de96b1b2a1c41b31b14204d263785206b3842d
Instruction Fuzzy Hash: 34C012355034C4EF82044F20DC884B9B778BB4F10AB00E404D507EB212CB29B5018B5D

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lJEIftsml0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
lJEIftsml0.exe

Function 007AB100 Relevance: 19.2, Strings: 15, Instructions: 425
COMMON

Function 007A8600 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 356
COMMON

Function 007DE110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 007E1720 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Function 007A9D1E Relevance: 3.1, APIs: 2, Instructions: 142
libraryCOMMON

Function 007DE0A0 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Function 007A9EB7 Relevance: 1.5, APIs: 1, Instructions: 18
networkCOMMON

Function 007DC570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 007DC55C Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON