Edit tour

Windows Analysis Report
v3tb7mqP48.exe

Overview

General Information

Sample name:	v3tb7mqP48.exe renamed because original name is a hash value
Original sample name:	d95295774a298d56818441b8632671ff.exe
Analysis ID:	1586506
MD5:	d95295774a298d56818441b8632671ff
SHA1:	b2c3429a55a7a0cc872701286b7890f0df6db885
SHA256:	810297ae1facff74c9639568a9a7eb8b4ac14af8148924ab07939cbc8e8c0a42
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

v3tb7mqP48.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\v3tb7mqP48.exe" MD5: D95295774A298D56818441B8632671FF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["femalsabler.shop", "robinsharez.shop", "versersleep.shop", "soundtappysk.shop", "chipdonkeruz.shop", "crowdwarek.shop", "apporholis.shop", "letterdrive.shop", "handscreamny.shop"], "Build id": "LOGS11--6969"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.920977+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.168487+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.6	50700	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.202279+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.6	52316	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.179896+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.6	50451	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.156211+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.6	53133	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.215414+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.6	51832	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.225729+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.6	52053	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.130052+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.6	51553	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:35.190868+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.6	52514	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:42:36.415000+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49709	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: v3tb7mqP48.exe

Avira: detected

Antivirus detection for URL or domain

Source: letterdrive.shop

Avira URL Cloud: Label: malware

Found malware configuration

Source: v3tb7mqP48.exe.6456.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["femalsabler.shop", "robinsharez.shop", "versersleep.shop", "soundtappysk.shop", "chipdonkeruz.shop", "crowdwarek.shop", "apporholis.shop", "letterdrive.shop", "handscreamny.shop"], "Build id": "LOGS11--6969"}

Multi AV Scanner detection for submitted file

Source: v3tb7mqP48.exe	ReversingLabs: Detection: 60%
Source: v3tb7mqP48.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: v3tb7mqP48.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: letterdrive.shop
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2133585730.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--6969

Source: v3tb7mqP48.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, edx	0_2_00F1B2B0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_00F4F0E0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00F37070
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_00F1A05C
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00F2B184
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00F2B173
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00F3B170
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00F2F2A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, eax	0_2_00F38280
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00F2B243
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00F12210
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then jmp ecx	0_2_00F1D334
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_00F1C3EC
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00F32380
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_00F1C334
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00F37490
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00F2B484
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, eax	0_2_00F52470
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_00F5042D
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, eax	0_2_00F5042D
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov eax, edi	0_2_00F2C400
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00F27405
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00F27405
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov edx, ecx	0_2_00F27405
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then push edi	0_2_00F4C5A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_00F4C5A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00F48520
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, dword ptr [00F5C548h]	0_2_00F28672
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00F2B667
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00F3B652
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00F17620
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00F17620
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_00F527B0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov esi, ecx	0_2_00F25720
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, eax	0_2_00F25720
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then jmp eax	0_2_00F518A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00F2B882
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_00F4B870
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov edx, ecx	0_2_00F4B870
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00F29840
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_00F3D830
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then test esi, esi	0_2_00F4C9A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F2A900
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00F35AF0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ebx, eax	0_2_00F15AB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ebp, eax	0_2_00F15AB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00F3EA62
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, eax	0_2_00F1AA36
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ebx, edx	0_2_00F3DBF0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00F3EBB3
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00F51BB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_00F2BBA0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00F3EBA1
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_00F3BBA0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ecx, eax	0_2_00F50BAB
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00F3EB5F
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00F2BB21
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00F51B20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00F2AB2A
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00F3BB00
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00F36C76
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00F51C40
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00F24C20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00F35D6A
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00F52D20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00F2AEFF
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_00F2BEE1
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00F26ED0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then jmp ecx	0_2_00F1CEC7
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F19E09
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_00F1DFE2
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00F1DFE2
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00F18F90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.6:51832 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.6:52053 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.6:50451 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.6:52514 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.6:53133 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.6:51553 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.6:52316 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.6:50700 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49709 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: letterdrive.shop
Source: Malware configuration extractor	URLs: handscreamny.shop

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=f25ddf89bd9793abb0eae7c4; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 07:42:36 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlff0h equals www.youtube.com (Youtube)
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ne' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: letterdrive.shop
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.0000000001514000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900s
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: v3tb7mqP48.exe, 00000000.00000003.2150020200.0000000001518000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: v3tb7mqP48.exe, 00000000.00000003.2150020200.0000000001518000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49709 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: v3tb7mqP48.exe	Static PE information: section name:
Source: v3tb7mqP48.exe	Static PE information: section name: .idata
Source: v3tb7mqP48.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1B2B0	0_2_00F1B2B0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F18880	0_2_00F18880
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2D0C0	0_2_00F2D0C0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F37070	0_2_00F37070
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F16000	0_2_00F16000
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F221DB	0_2_00F221DB
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3B170	0_2_00F3B170
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4F150	0_2_00F4F150
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F37133	0_2_00F37133
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F35100	0_2_00F35100
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0110F328	0_2_0110F328
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F142B0	0_2_00F142B0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F192A0	0_2_00F192A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010D0382	0_2_010D0382
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2825B	0_2_00F2825B
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F163C0	0_2_00F163C0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F32380	0_2_00F32380
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F18360	0_2_00F18360
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010E4509	0_2_010E4509
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4A4EF	0_2_00F4A4EF
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F454C4	0_2_00F454C4
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F474AB	0_2_00F474AB
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F52470	0_2_00F52470
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F38437	0_2_00F38437
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4443D	0_2_00F4443D
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F42426	0_2_00F42426
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2C400	0_2_00F2C400
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2D400	0_2_00F2D400
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F27405	0_2_00F27405
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010D5413	0_2_010D5413
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4C5A0	0_2_00F4C5A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1D545	0_2_00F1D545
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2F6D0	0_2_00F2F6D0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01093759	0_2_01093759
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2A690	0_2_00F2A690
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F5768E	0_2_00F5768E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F17620	0_2_00F17620
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F46610	0_2_00F46610
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F357E0	0_2_00F357E0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F527B0	0_2_00F527B0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F19790	0_2_00F19790
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F25720	0_2_00F25720
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F518A0	0_2_00F518A0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4B870	0_2_00F4B870
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F37860	0_2_00F37860
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F16850	0_2_00F16850
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F29840	0_2_00F29840
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F7A848	0_2_00F7A848
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4F820	0_2_00F4F820
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4080E	0_2_00F4080E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3A9F7	0_2_00F3A9F7
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1E9B0	0_2_00F1E9B0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2194F	0_2_00F2194F
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00FDA93F	0_2_00FDA93F
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F43930	0_2_00F43930
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F49923	0_2_00F49923
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010C88D4	0_2_010C88D4
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F13900	0_2_00F13900
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F35AF0	0_2_00F35AF0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2DAD0	0_2_00F2DAD0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F39ADE	0_2_00F39ADE
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F15AB0	0_2_00F15AB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F28A7A	0_2_00F28A7A
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010E2B9E	0_2_010E2B9E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3EA62	0_2_00F3EA62
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1CA62	0_2_00F1CA62
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F52A60	0_2_00F52A60
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3DBF0	0_2_00F3DBF0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F28BC9	0_2_00F28BC9
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3EBB3	0_2_00F3EBB3
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F51BB0	0_2_00F51BB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2BBA0	0_2_00F2BBA0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3EBA1	0_2_00F3EBA1
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3BBA0	0_2_00F3BBA0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010DDA69	0_2_010DDA69
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F28B79	0_2_00F28B79
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F38B67	0_2_00F38B67
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F47B69	0_2_00F47B69
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3EB5F	0_2_00F3EB5F
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4CB40	0_2_00F4CB40
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F42B24	0_2_00F42B24
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F12B20	0_2_00F12B20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F28B23	0_2_00F28B23
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F51B20	0_2_00F51B20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01127AF6	0_2_01127AF6
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010D9AF9	0_2_010D9AF9
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F44CEF	0_2_00F44CEF
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2DCB0	0_2_00F2DCB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4ACB0	0_2_00F4ACB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F3FCBC	0_2_00F3FCBC
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010D3D54	0_2_010D3D54
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F36C76	0_2_00F36C76
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F51C40	0_2_00F51C40
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F24C20	0_2_00F24C20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F28C2A	0_2_00F28C2A
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010D1DF4	0_2_010D1DF4
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F14DC0	0_2_00F14DC0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F30D90	0_2_00F30D90
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01087C60	0_2_01087C60
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00FBAD88	0_2_00FBAD88
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F35D6A	0_2_00F35D6A
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F4CD27	0_2_00F4CD27
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F52D20	0_2_00F52D20
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F45D13	0_2_00F45D13
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F12EF0	0_2_00F12EF0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F33EFF	0_2_00F33EFF
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2BEE1	0_2_00F2BEE1
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F26ED0	0_2_00F26ED0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010E0F79	0_2_010E0F79
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F41E8E	0_2_00F41E8E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F31E70	0_2_00F31E70
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1AE30	0_2_00F1AE30
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1DFE2	0_2_00F1DFE2
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F39FE4	0_2_00F39FE4
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F1CFEC	0_2_00F1CFEC
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F51FB0	0_2_00F51FB0
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010DBE74	0_2_010DBE74
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F37F30	0_2_00F37F30
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00F2AF24	0_2_00F2AF24

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: String function: 00F18170 appears 45 times
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: String function: 00F24C10 appears 116 times

Source: v3tb7mqP48.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: v3tb7mqP48.exe	Static PE information: Section: ZLIB complexity 0.9977766312893082
Source: v3tb7mqP48.exe	Static PE information: Section: zmioojwu ZLIB complexity 0.9949271537162162

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/1

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Code function: 0_2_00F454C4 CoCreateInstance,

0_2_00F454C4

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: v3tb7mqP48.exe	ReversingLabs: Detection: 60%
Source: v3tb7mqP48.exe	Virustotal: Detection: 66%

Source: v3tb7mqP48.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

File read: C:\Users\user\Desktop\v3tb7mqP48.exe

Jump to behavior

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Section loaded: dpapi.dll	Jump to behavior

Source: v3tb7mqP48.exe

Static file information: File size 1883136 > 1048576

Source: v3tb7mqP48.exe

Static PE information: Raw size of zmioojwu is bigger than: 0x100000 < 0x1a0400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Unpacked PE file: 0.2.v3tb7mqP48.exe.f10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmioojwu:EW;psvnanhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmioojwu:EW;psvnanhn:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: v3tb7mqP48.exe

Static PE information: real checksum: 0x1d4935 should be: 0x1d7251

Source: v3tb7mqP48.exe	Static PE information: section name:
Source: v3tb7mqP48.exe	Static PE information: section name: .idata
Source: v3tb7mqP48.exe	Static PE information: section name:
Source: v3tb7mqP48.exe	Static PE information: section name: zmioojwu
Source: v3tb7mqP48.exe	Static PE information: section name: psvnanhn
Source: v3tb7mqP48.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01157156 push 7433CDE7h; mov dword ptr [esp], eax	0_2_0115715E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01158163 push 58CCC960h; mov dword ptr [esp], edi	0_2_011581AF
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01152197 push 6310A46Ch; mov dword ptr [esp], edi	0_2_01152201
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_01152197 push 55DFFD7Ch; mov dword ptr [esp], esi	0_2_0115228A
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011ED18B push ecx; mov dword ptr [esp], esi	0_2_011ED1EB
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011ED18B push 13325392h; mov dword ptr [esp], ebx	0_2_011ED209
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011ED18B push 0A5FD48Ah; mov dword ptr [esp], ecx	0_2_011ED253
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011461B3 push 30526F76h; mov dword ptr [esp], edi	0_2_011461E1
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011461B3 push ebx; mov dword ptr [esp], eax	0_2_011461E5
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011461B3 push 631A5330h; mov dword ptr [esp], edi	0_2_0114620E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0110E1D6 push ebx; mov dword ptr [esp], eax	0_2_0110E21B
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0116B1C4 push 2DE26C11h; mov dword ptr [esp], eax	0_2_0116B21F
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011691C3 push ebp; mov dword ptr [esp], edx	0_2_011691E5
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00FAD1F5 push 566EF88Ah; mov dword ptr [esp], esi	0_2_00FAD26C
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00FAD1F5 push 062F1BB6h; mov dword ptr [esp], ebx	0_2_00FAD27B
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_00FAD1F5 push 4398D57Dh; mov dword ptr [esp], eax	0_2_00FAD2DC
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0115203B push eax; mov dword ptr [esp], 3F7E73CBh	0_2_0115204F
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0115203B push esi; mov dword ptr [esp], 7FFEAB92h	0_2_0115207E
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011D5059 push 20946D5Eh; mov dword ptr [esp], ebp	0_2_011D4F8C
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0117D04D push 0D8488E9h; mov dword ptr [esp], edi	0_2_0117D0C6
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010A606B push 7D75F923h; mov dword ptr [esp], esi	0_2_010A6080
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010A606B push 074FFDFFh; mov dword ptr [esp], eax	0_2_010A6174
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_010A606B push eax; mov dword ptr [esp], 1813CF80h	0_2_010A61BA
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0116C0B5 push eax; mov dword ptr [esp], edi	0_2_0116C18D
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011B4312 push esi; mov dword ptr [esp], ecx	0_2_011B4335
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011B4312 push ebp; mov dword ptr [esp], 2BFF8B8Bh	0_2_011B435C
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011B4312 push 578606C1h; mov dword ptr [esp], ebp	0_2_011B43A5
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_011B4312 push edi; mov dword ptr [esp], ecx	0_2_011B43E5
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0110F328 push edx; mov dword ptr [esp], esi	0_2_0110F355
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0110F328 push edx; mov dword ptr [esp], edi	0_2_0110F40B
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Code function: 0_2_0110F328 push 77295FCFh; mov dword ptr [esp], eax	0_2_0110F4BA

Source: v3tb7mqP48.exe	Static PE information: section name: entropy: 7.989013121208089
Source: v3tb7mqP48.exe	Static PE information: section name: zmioojwu entropy: 7.9544708640715545

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: F6B097 second address: F6B09B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: F6B09B second address: F6B0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: F6B0A1 second address: F6B0AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F083C5154E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: F6B0AB second address: F6B0CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F083C517C57h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10DA006 second address: 10DA01A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F083C5154EAh 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jbe 00007F083C5154ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E9DD5 second address: 10E9DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007F083C517C46h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E9DE6 second address: 10E9E2D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F083C5154FFh 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jbe 00007F083C5154E6h 0x00000013 jmp 00007F083C5154F4h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10EA2A7 second address: 10EA2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 js 00007F083C517C5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F083C517C4Ch 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10EA575 second address: 10EA58F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F083C5154EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F083C5154E6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10EA718 second address: 10EA71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10EA71E second address: 10EA726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10EA726 second address: 10EA735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F083C517C46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10EA735 second address: 10EA739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10ED17E second address: 10ED1C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F083C517C46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F083C517C48h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D2EB5h], edx 0x00000031 push 3B6185C1h 0x00000036 pushad 0x00000037 pushad 0x00000038 je 00007F083C517C46h 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10ED1C1 second address: 10ED26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F083C5154E8h 0x0000000b popad 0x0000000c xor dword ptr [esp], 3B618541h 0x00000013 mov esi, ebx 0x00000015 mov dword ptr [ebp+122D1EB8h], eax 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F083C5154E8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 call 00007F083C5154F1h 0x0000003c pushad 0x0000003d mov bx, di 0x00000040 or edx, dword ptr [ebp+122D34B7h] 0x00000046 popad 0x00000047 pop edx 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007F083C5154E8h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 mov dword ptr [ebp+122D3312h], edx 0x0000006a jmp 00007F083C5154F7h 0x0000006f push 00000003h 0x00000071 push 45449427h 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10ED26A second address: 10ED26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10ED26E second address: 10ED28F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F083C5154F0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110CFC9 second address: 110CFCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110D163 second address: 110D170 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F083C5154E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110D304 second address: 110D30A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110D30A second address: 110D310 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DB10 second address: 110DB38 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F083C517C46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F083C517C56h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DB38 second address: 110DB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DB3E second address: 110DB48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DB48 second address: 110DB6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F9h 0x00000007 je 00007F083C5154EEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DDD7 second address: 110DE0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F083C517C56h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F083C517C53h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DF85 second address: 110DFB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jnc 00007F083C5154FAh 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DFB5 second address: 110DFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110DFB9 second address: 110DFC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110181A second address: 1101826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F083C517C46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1101826 second address: 110182A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110E94F second address: 110E971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C50h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F083C517C4Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110EAF8 second address: 110EAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110EAFE second address: 110EB02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 110EB02 second address: 110EB0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11106EB second address: 1110709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F083C517C46h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F083C517C4Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10D69A0 second address: 10D69A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10D69A4 second address: 10D69BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jl 00007F083C517C46h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 ja 00007F083C517C48h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1114DE2 second address: 1114E14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F083C5154E8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 je 00007F083C5154E6h 0x0000001c jmp 00007F083C5154EBh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1113C61 second address: 1113C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1113C65 second address: 1113C85 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F083C5154E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F083C5154EEh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1113C85 second address: 1113C8F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F083C517C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1117500 second address: 111750D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F083C5154E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111750D second address: 1117515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1117515 second address: 111751C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10DF023 second address: 10DF035 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F083C517C4Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111AFB0 second address: 111AFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111AFB6 second address: 111AFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111AFBC second address: 111AFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111AFC0 second address: 111AFF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C50h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F083C517C46h 0x00000016 jmp 00007F083C517C58h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111B77A second address: 111B77E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111BA42 second address: 111BA52 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F083C517C4Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111BA52 second address: 111BA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111C9E2 second address: 111C9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111CBD9 second address: 111CBDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111CD26 second address: 111CD2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111CE0D second address: 111CE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111CE14 second address: 111CE2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F083C517C46h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007F083C517C54h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111CEE1 second address: 111CEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F083C5154E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111CEEB second address: 111CF03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F083C517C4Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111D1F0 second address: 111D20B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111D77B second address: 111D780 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111D851 second address: 111D855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111DBA3 second address: 111DBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111DC3A second address: 111DC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F083C5154E8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jbe 00007F083C5154E8h 0x0000002c push eax 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111DC72 second address: 111DC78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111DC78 second address: 111DC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 111E978 second address: 111E97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1121A7E second address: 1121A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1121A82 second address: 1121A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1121A86 second address: 1121A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11252F0 second address: 11252F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1125E5F second address: 1125EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F083C5154E8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 movsx esi, ax 0x00000025 push 00000000h 0x00000027 mov dword ptr [ebp+122D24EDh], eax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F083C5154E8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000015h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov si, dx 0x0000004c push eax 0x0000004d jo 00007F083C5154F0h 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1127864 second address: 112786E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F083C517C46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112786E second address: 1127889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F083C5154ECh 0x0000000b pushad 0x0000000c js 00007F083C5154E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1125BF8 second address: 1125BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11266D8 second address: 11266E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F083C5154E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1125BFC second address: 1125C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112A9FA second address: 112A9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112BB6B second address: 112BBF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push esi 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop esi 0x0000000e nop 0x0000000f mov ebx, edx 0x00000011 mov ebx, dword ptr [ebp+122D36DBh] 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov edi, dword ptr [ebp+12456B95h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b jmp 00007F083C517C52h 0x00000030 mov eax, dword ptr [ebp+122D0751h] 0x00000036 jmp 00007F083C517C4Fh 0x0000003b push FFFFFFFFh 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F083C517C48h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 xor bh, FFFFFFBDh 0x0000005a mov di, C20Ah 0x0000005e push eax 0x0000005f jo 00007F083C517C54h 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112D883 second address: 112D89E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112BBF0 second address: 112BBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112D89E second address: 112D8A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112E7DE second address: 112E7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112D9D3 second address: 112DA6E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F083C5154E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007F083C5154EDh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F083C5154F5h 0x00000018 popad 0x00000019 pop edi 0x0000001a push dword ptr fs:[00000000h] 0x00000021 push edx 0x00000022 add dword ptr [ebp+122D1EC6h], edi 0x00000028 pop ebx 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 mov eax, dword ptr [ebp+122D0F25h] 0x00000036 mov edi, 16104A31h 0x0000003b jmp 00007F083C5154F3h 0x00000040 push FFFFFFFFh 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007F083C5154E8h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c mov edi, dword ptr [ebp+122D37C7h] 0x00000062 nop 0x00000063 push eax 0x00000064 je 00007F083C5154ECh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112E7E2 second address: 112E7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112DA6E second address: 112DA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112F864 second address: 112F868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112EA28 second address: 112EA3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F083C5154EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112F868 second address: 112F889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F083C517C56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112EA3B second address: 112EA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112F889 second address: 112F8F6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F083C517C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F083C517C48h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov di, si 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F083C517C48h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 xchg eax, esi 0x00000048 jmp 00007F083C517C55h 0x0000004d push eax 0x0000004e pushad 0x0000004f js 00007F083C517C4Ch 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1130964 second address: 1130979 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 112FAEB second address: 112FB1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F083C517C58h 0x00000012 jmp 00007F083C517C52h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1130979 second address: 113097D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A0C second address: 1131A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A2E second address: 1131A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A32 second address: 1131A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A40 second address: 1131A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A46 second address: 1131A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sbb edi, 7636CBEEh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F083C517C48h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jo 00007F083C517C4Ch 0x00000031 mov dword ptr [ebp+122D2D01h], ecx 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+1245BAABh], ecx 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A96 second address: 1131A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131A9A second address: 1131AA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131AA0 second address: 1131AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C5154EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131AB2 second address: 1131AC4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F083C517C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131AC4 second address: 1131ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131ACB second address: 1131AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1131C7C second address: 1131C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1133B2C second address: 1133B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1134B1A second address: 1134B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1136BA8 second address: 1136BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F083C517C46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1136BB2 second address: 1136C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F083C5154E8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F083C5154E8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 movzx ebx, cx 0x00000044 push 00000000h 0x00000046 mov ebx, 0E8F3302h 0x0000004b mov ebx, 20F5060Bh 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 push ebx 0x00000055 pop ebx 0x00000056 jmp 00007F083C5154F7h 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1136C35 second address: 1136C63 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F083C517C5Bh 0x00000008 jmp 00007F083C517C55h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F083C517C4Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1136C63 second address: 1136C68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1133CE3 second address: 1133CE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1134C40 second address: 1134C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1134C44 second address: 1134C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1134C48 second address: 1134C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F083C5154E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1139EB7 second address: 1139F81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnc 00007F083C517C4Ah 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F083C517C48h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c jmp 00007F083C517C4Dh 0x00000031 xor di, 7561h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F083C517C48h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 pushad 0x00000053 jmp 00007F083C517C52h 0x00000058 call 00007F083C517C56h 0x0000005d or dword ptr [ebp+122D3339h], ebx 0x00000063 pop edi 0x00000064 popad 0x00000065 mov dword ptr [ebp+12456B95h], ecx 0x0000006b push 00000000h 0x0000006d jmp 00007F083C517C54h 0x00000072 xchg eax, esi 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 push esi 0x00000077 pop esi 0x00000078 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1137F67 second address: 1137F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1138FBC second address: 1138FD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F083C517C58h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1138FD9 second address: 1138FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141A6F second address: 1141A81 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F083C517C4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141A81 second address: 1141A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141BCF second address: 1141BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F083C517C4Ah 0x0000000a jp 00007F083C517C4Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141BE5 second address: 1141C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007F083C5154F8h 0x0000000f jmp 00007F083C5154EFh 0x00000014 pop ecx 0x00000015 push esi 0x00000016 jmp 00007F083C5154F2h 0x0000001b jo 00007F083C5154E6h 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141D75 second address: 1141D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141D7B second address: 1141D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1141D85 second address: 1141D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 jno 00007F083C517C46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1144567 second address: 1144571 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F083C5154EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1144571 second address: 114457F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114457F second address: 1144584 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114E7B9 second address: 114E7D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C517C56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DC2D second address: 114DC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DC33 second address: 114DC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DDE0 second address: 114DDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DDE5 second address: 114DDF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C517C4Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DDF3 second address: 114DE14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d js 00007F083C5154E6h 0x00000013 jmp 00007F083C5154EDh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DE14 second address: 114DE1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114DE1C second address: 114DE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114E21D second address: 114E223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 114E223 second address: 114E236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 jc 00007F083C515506h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128B2D second address: 1128B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 58BBA218h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F083C517C48h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 movzx edx, si 0x0000002b push ADB2F219h 0x00000030 push eax 0x00000031 push edx 0x00000032 push esi 0x00000033 jnp 00007F083C517C46h 0x00000039 pop esi 0x0000003a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128B69 second address: 1128B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C5154F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128C32 second address: 1128C38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128DD5 second address: 1128DE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128DE0 second address: 1128DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F083C517C4Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128F25 second address: 1128F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128F29 second address: 1128F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128F32 second address: 1128F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F083C5154E8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 sbb cl, FFFFFFA4h 0x00000026 push 00000004h 0x00000028 add di, 7F62h 0x0000002d nop 0x0000002e pushad 0x0000002f jp 00007F083C5154ECh 0x00000035 jns 00007F083C5154F3h 0x0000003b popad 0x0000003c push eax 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 push edi 0x00000041 pop edi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1128F6F second address: 1128F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F083C517C53h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11293E4 second address: 11293F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11293F0 second address: 11293F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1151FC9 second address: 1151FE2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F083C5154E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F083C5154EDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1151FE2 second address: 1152008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F083C517C53h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1152564 second address: 1152568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1152568 second address: 115256C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115256C second address: 115257C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F083C5154E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11526C7 second address: 11526CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11526CB second address: 11526CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11526CF second address: 11526D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115280F second address: 115282C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C5154F3h 0x00000009 jns 00007F083C5154E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115296B second address: 1152971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1152971 second address: 11529B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C5154F5h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F083C5154F5h 0x00000012 pushad 0x00000013 jne 00007F083C5154E6h 0x00000019 ja 00007F083C5154E6h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11529B3 second address: 11529B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11573A7 second address: 11573AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11573AB second address: 11573B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11573B5 second address: 11573B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11573B9 second address: 11573DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C50h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007F083C517C46h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157946 second address: 115795A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F083C5154E6h 0x00000008 jng 00007F083C5154E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115795A second address: 1157960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157960 second address: 1157985 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F083C5154E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F083C5154F2h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F083C5154E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157AF3 second address: 1157AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157AF9 second address: 1157B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157D97 second address: 1157D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157D9D second address: 1157DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F083C5154E6h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F083C5154E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1157F28 second address: 1157F4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C4Ch 0x00000007 pushad 0x00000008 jmp 00007F083C517C53h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115CC69 second address: 115CC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C5154EDh 0x00000009 jmp 00007F083C5154F2h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115CF62 second address: 115CF6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D219 second address: 115D21D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D4CF second address: 115D4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D4D5 second address: 115D4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D4D9 second address: 115D4FF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F083C517C46h 0x00000008 jmp 00007F083C517C59h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D4FF second address: 115D50D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F083C5154E6h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D679 second address: 115D683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D683 second address: 115D696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F083C5154E6h 0x0000000a jl 00007F083C5154E6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D811 second address: 115D819 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D819 second address: 115D81E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115D975 second address: 115D98E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C517C53h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115DAEF second address: 115DB09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F083C5154F5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 115C83A second address: 115C858 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F083C517C59h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1160BFB second address: 1160C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F083C5154E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1160C05 second address: 1160C20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F083C517C55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1160C20 second address: 1160C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10D33FA second address: 10D3410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jbe 00007F083C517C46h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10D3410 second address: 10D3427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1164478 second address: 116449C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C517C4Ah 0x00000009 jns 00007F083C517C46h 0x0000000f jmp 00007F083C517C4Ch 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 116449C second address: 11644A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F083C5154E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 116AF51 second address: 116AF69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C52h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 116DDD7 second address: 116DDE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E3FFA second address: 10E4002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E4002 second address: 10E4027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 jc 00007F083C515512h 0x0000000c push esi 0x0000000d jmp 00007F083C5154F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E4027 second address: 10E402F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E402F second address: 10E4035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117461E second address: 1174624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1173ACB second address: 1173AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1173AD3 second address: 1173AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1173DAF second address: 1173DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117409F second address: 11740A9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F083C517C46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11740A9 second address: 11740B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11740B3 second address: 11740B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11740B9 second address: 11740BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1177604 second address: 1177609 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1177609 second address: 1177616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1177616 second address: 117761A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1176FC4 second address: 1176FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 10E0A7E second address: 10E0A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117C52D second address: 117C532 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117C532 second address: 117C54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007F083C517C4Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117C54E second address: 117C554 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117C9D9 second address: 117C9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F083C517C46h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 117C9E6 second address: 117C9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F083C5154E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1183451 second address: 11834AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F083C517C4Bh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F083C517C53h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 je 00007F083C517C5Fh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F083C517C51h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11834AB second address: 11834B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1183780 second address: 118378A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118378A second address: 1183790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184549 second address: 1184578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C517C57h 0x00000009 jmp 00007F083C517C54h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184578 second address: 11845A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F083C5154E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F083C5154EAh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jc 00007F083C5154E6h 0x00000020 jc 00007F083C5154E6h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b pop eax 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184877 second address: 118487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E57 second address: 1184E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E62 second address: 1184E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E66 second address: 1184E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E6A second address: 1184E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E70 second address: 1184E75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E75 second address: 1184E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F083C517C46h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jc 00007F083C517C46h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1184E8B second address: 1184E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118EEC6 second address: 118EEE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F083C517C55h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118F328 second address: 118F32C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118F5CA second address: 118F5D4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F083C517C46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118F8C2 second address: 118F8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jng 00007F083C5154E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118F8D0 second address: 118F903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F083C517C53h 0x00000013 jmp 00007F083C517C52h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 118F903 second address: 118F917 instructions: 0x00000000 rdtsc 0x00000002 js 00007F083C5154E8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e ja 00007F083C5154E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1197565 second address: 119756A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119756A second address: 1197570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1197570 second address: 1197574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1197574 second address: 119758B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11979D4 second address: 11979E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11979E3 second address: 11979E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1197B25 second address: 1197B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1197B2E second address: 1197B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F083C5154E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1197B3A second address: 1197B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1198966 second address: 1198985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F083C5154E6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F083C5154EAh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1198985 second address: 1198989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1198989 second address: 119899E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F083C5154EAh 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119904A second address: 119904E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1196F74 second address: 1196F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154EBh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F083C5154ECh 0x00000011 jp 00007F083C5154E6h 0x00000017 pop edi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007F083C5154E6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1196F9D second address: 1196FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119EFEF second address: 119EFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119EFF5 second address: 119F018 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F083C517C59h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119F018 second address: 119F01C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119F01C second address: 119F028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119F028 second address: 119F02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119EA28 second address: 119EA2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119EB6E second address: 119EB7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F083C5154E6h 0x0000000a js 00007F083C5154E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119EB7E second address: 119EB92 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F083C517C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jns 00007F083C517C46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119ECDF second address: 119ECE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F083C5154E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 119ECE9 second address: 119ED03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C56h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C6240 second address: 11C6244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C6244 second address: 11C6255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F083C517C46h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C6255 second address: 11C6281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F7h 0x00000007 jno 00007F083C5154E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jbe 00007F083C5154E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C4F3C second address: 11C4F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C50AD second address: 11C50BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F083C5154EBh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C50BE second address: 11C50E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C4Ah 0x00000007 je 00007F083C517C46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F083C517C52h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C50E8 second address: 11C5120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F083C5154FBh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F083C5154EBh 0x00000017 jbe 00007F083C5154E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C5120 second address: 11C5126 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C5126 second address: 11C5153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F083C5154F8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C5153 second address: 11C5157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C53D4 second address: 11C53DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F083C5154E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C5563 second address: 11C556D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F083C517C46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C556D second address: 11C5576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C9C75 second address: 11C9C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C9C7F second address: 11C9C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C9C87 second address: 11C9C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F083C517C46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C9C94 second address: 11C9CB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F083C515516h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F083C5154F2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C9DC6 second address: 11C9DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11C9DCA second address: 11C9DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11CE35D second address: 11CE374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C4Ah 0x00000007 js 00007F083C517C46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11CE374 second address: 11CE382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F083C5154E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11D79F1 second address: 11D79F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11D79F5 second address: 11D7A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F083C5154EBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11D7A06 second address: 11D7A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11D7A0A second address: 11D7A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C5154F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F083C5154E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11D7A30 second address: 11D7A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11D4499 second address: 11D44A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11E5705 second address: 11E570B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11E6F99 second address: 11E6FB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11EAB52 second address: 11EAB56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11EAB56 second address: 11EAB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 11EA78F second address: 11EA7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F083C517C4Bh 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 120100B second address: 120100F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 12000D7 second address: 12000E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F083C517C46h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 12000E7 second address: 12000EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 12007DA second address: 12007F2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F083C517C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F083C517C4Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1200BED second address: 1200BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jl 00007F083C5154E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1202646 second address: 120264B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1203D34 second address: 1203D52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154F4h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1203D52 second address: 1203D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C517C56h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1203D6C second address: 1203D86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154ECh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F083C5154E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 120673E second address: 1206742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206742 second address: 1206748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206748 second address: 1206756 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206756 second address: 1206761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F083C5154E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206980 second address: 120699A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C517C55h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206A48 second address: 1206A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C5154EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F083C5154E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206A64 second address: 1206A90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F083C517C58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F083C517C4Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206A90 second address: 1206AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007F083C5154EDh 0x0000000e ja 00007F083C5154F5h 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F083C5154EDh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206D69 second address: 1206D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F083C517C4Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1206D7F second address: 1206D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1208242 second address: 1208246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1208246 second address: 120824C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 120824C second address: 1208263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F083C517C4Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 1208263 second address: 120826F instructions: 0x00000000 rdtsc 0x00000002 je 00007F083C5154E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 120826F second address: 1208281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F083C517C46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	RDTSC instruction interceptor: First address: 120A08E second address: 120A094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Special instruction interceptor: First address: F6A8A1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Special instruction interceptor: First address: F6A95D instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\v3tb7mqP48.exe TID: 2732	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe TID: 2852	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: v3tb7mqP48.exe, v3tb7mqP48.exe, 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: v3tb7mqP48.exe, 00000000.00000003.2150020200.0000000001518000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v3tb7mqP48.exe, 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	File opened: NTICE
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	File opened: SICE
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\v3tb7mqP48.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Code function: 0_2_00F502C0 LdrInitializeThunk,

0_2_00F502C0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: v3tb7mqP48.exe	String found in binary or memory: robinsharez.shop
Source: v3tb7mqP48.exe	String found in binary or memory: chipdonkeruz.shop
Source: v3tb7mqP48.exe	String found in binary or memory: handscreamny.shop
Source: v3tb7mqP48.exe	String found in binary or memory: crowdwarek.shop
Source: v3tb7mqP48.exe	String found in binary or memory: versersleep.shop
Source: v3tb7mqP48.exe	String found in binary or memory: femalsabler.shop
Source: v3tb7mqP48.exe	String found in binary or memory: apporholis.shop
Source: v3tb7mqP48.exe	String found in binary or memory: letterdrive.shop
Source: v3tb7mqP48.exe	String found in binary or memory: soundtappysk.shop

Source: v3tb7mqP48.exe, v3tb7mqP48.exe, 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: XbUProgram Manager

Source: C:\Users\user\Desktop\v3tb7mqP48.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
v3tb7mqP48.exe	61%	ReversingLabs	Win32.Trojan.Symmi
v3tb7mqP48.exe	67%	Virustotal		Browse
v3tb7mqP48.exe	100%	Avira	TR/Crypt.TPM.Gen
v3tb7mqP48.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
letterdrive.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
letterdrive.shop	unknown	unknown	true	unknown
femalsabler.shop	unknown	unknown	true	unknown
robinsharez.shop	unknown	unknown	true	unknown
soundtappysk.shop	unknown	unknown	true	unknown
crowdwarek.shop	unknown	unknown	true	unknown
versersleep.shop	unknown	unknown	true	unknown
chipdonkeruz.shop	unknown	unknown	true	unknown
apporholis.shop	unknown	unknown	true	unknown
handscreamny.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	false		high
versersleep.shop	false		high
crowdwarek.shop	false		high
letterdrive.shop	true	Avira URL Cloud: malware	unknown
femalsabler.shop	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
soundtappysk.shop	false		high
apporholis.shop	false		high
handscreamny.shop	false		high
chipdonkeruz.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	v3tb7mqP48.exe, 00000000.00000003.2150020200.0000000001518000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/76561199724331900s	v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	v3tb7mqP48.exe, 00000000.00000002.2150773954.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149885058.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	v3tb7mqP48.exe, 00000000.00000003.2150020200.0000000001518000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000002.2150934256.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	v3tb7mqP48.exe, 00000000.00000003.2149850227.0000000001558000.00000004.00000020.00020000.00000000.sdmp, v3tb7mqP48.exe, 00000000.00000003.2149850227.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586506
Start date and time:	2025-01-09 08:41:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	v3tb7mqP48.exe renamed because original name is a hash value
Original Sample Name:	d95295774a298d56818441b8632671ff.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.60
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:42:34	API Interceptor	4x Sleep call for process: v3tb7mqP48.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	23.60.214.185
	https://workdrive.zohopublic.com/writer/open/p369v39db425d23f84b09b5751cf359b081f4	Get hash	malicious	Unknown	Browse	2.19.126.143
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	23.38.98.78
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse	23.56.162.204
	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	23.56.162.204
	malw.hta	Get hash	malicious	Unknown	Browse	23.56.162.204
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	EPSONOPOSADKV3.00ER10.zip	Get hash	malicious	Unknown	Browse	184.28.90.27
	miori.x86.elf	Get hash	malicious	Unknown	Browse	104.123.242.179
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	2.19.126.89

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	104.102.49.254
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	Rgr8LJz.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	random.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9499449046218915
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	v3tb7mqP48.exe
File size:	1'883'136 bytes
MD5:	d95295774a298d56818441b8632671ff
SHA1:	b2c3429a55a7a0cc872701286b7890f0df6db885
SHA256:	810297ae1facff74c9639568a9a7eb8b4ac14af8148924ab07939cbc8e8c0a42
SHA512:	001f4774773cf9fcf12d3b1a0a941694bd640a9e106cfdc25f8697e988a65936d97adb2abd7065e4c9dbf5c336b72e4f1f26c64f646f2cba1b03fadebe1afb40
SSDEEP:	49152:fq8PwiP7IMwOj4gcSYH7QgMiHqkvM/MSVyKwApU:fqBiP7IMwVIYBM4DEtVQA
TLSH:	269533EA9C424830DE88B2BB31DDCAF47A35F5456D7DC49D906A2B2CE65E3D20C54B23
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...TQ}g.................(...........`J...........@...........................J.....5I....@.................................Y`..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677D5154 [Tue Jan 7 16:07:48 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F083D20C6BAh
setp byte ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F083D20E6B5h
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x56059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x561f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x54000	0x27c00	cf6e370ee17af8bc6bb3028f5d451c9b	False	0.9977766312893082	data	7.989013121208089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x2b0	0x200	93a97828b12fc1fe7cb85d8cd8171714	False	0.794921875	data	6.023244200265927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x56000	0x1000	0x200	20eae372ffdb39486b5a3eec1e928253	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x57000	0x2ad000	0x200	10eccc9b471d06e3f8a24d6acda3c7c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zmioojwu	0x304000	0x1a1000	0x1a0400	ab16992cea046d90fc4bf8426deca1ae	False	0.9949271537162162	data	7.9544708640715545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
psvnanhn	0x4a5000	0x1000	0x400	af5135dcae46438203d23f2dd6417b91	False	0.775390625	data	6.056838724385254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a6000	0x3000	0x2200	e80bc49164462f54160a8beb1a1e31ce	False	0.0739889705882353	DOS executable (COM)	0.7951717060167889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a4104	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:42:35.130052+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.6	51553	1.1.1.1	53	UDP
2025-01-09T08:42:35.156211+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.6	53133	1.1.1.1	53	UDP
2025-01-09T08:42:35.168487+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.6	50700	1.1.1.1	53	UDP
2025-01-09T08:42:35.179896+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.6	50451	1.1.1.1	53	UDP
2025-01-09T08:42:35.190868+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.6	52514	1.1.1.1	53	UDP
2025-01-09T08:42:35.202279+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.6	52316	1.1.1.1	53	UDP
2025-01-09T08:42:35.215414+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.6	51832	1.1.1.1	53	UDP
2025-01-09T08:42:35.225729+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.6	52053	1.1.1.1	53	UDP
2025-01-09T08:42:35.920977+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49709	104.102.49.254	443	TCP
2025-01-09T08:42:36.415000+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49709	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:42:35.248876095 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:35.248930931 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:35.249027014 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:35.252235889 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:35.252252102 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:35.920895100 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:35.920977116 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:35.924949884 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:35.924968004 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:35.925235033 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:35.975078106 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.015341997 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415025949 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415052891 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415091038 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415106058 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415108919 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.415143013 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415153980 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.415167093 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.415167093 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.415188074 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.502644062 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.502696991 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.502724886 CET	443	49709	104.102.49.254	192.168.2.6
Jan 9, 2025 08:42:36.502770901 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.502824068 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.507790089 CET	49709	443	192.168.2.6	104.102.49.254
Jan 9, 2025 08:42:36.507811069 CET	443	49709	104.102.49.254	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:42:35.115632057 CET	59438	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.124532938 CET	53	59438	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.130052090 CET	51553	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.139302015 CET	53	51553	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.156210899 CET	53133	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.164891958 CET	53	53133	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.168487072 CET	50700	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.177310944 CET	53	50700	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.179896116 CET	50451	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.188510895 CET	53	50451	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.190867901 CET	52514	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.199948072 CET	53	52514	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.202279091 CET	52316	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.213144064 CET	53	52316	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.215414047 CET	51832	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.223654985 CET	53	51832	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.225728989 CET	52053	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.233886957 CET	53	52053	1.1.1.1	192.168.2.6
Jan 9, 2025 08:42:35.235970974 CET	63825	53	192.168.2.6	1.1.1.1
Jan 9, 2025 08:42:35.244504929 CET	53	63825	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:42:35.115632057 CET	192.168.2.6	1.1.1.1	0xdc7b	Standard query (0)	letterdrive.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.130052090 CET	192.168.2.6	1.1.1.1	0xcde7	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.156210899 CET	192.168.2.6	1.1.1.1	0x3129	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.168487072 CET	192.168.2.6	1.1.1.1	0x8233	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.179896116 CET	192.168.2.6	1.1.1.1	0x687c	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.190867901 CET	192.168.2.6	1.1.1.1	0xf024	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.202279091 CET	192.168.2.6	1.1.1.1	0xd48f	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.215414047 CET	192.168.2.6	1.1.1.1	0xf40f	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.225728989 CET	192.168.2.6	1.1.1.1	0xfdab	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.235970974 CET	192.168.2.6	1.1.1.1	0xded8	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:42:35.124532938 CET	1.1.1.1	192.168.2.6	0xdc7b	Name error (3)	letterdrive.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.139302015 CET	1.1.1.1	192.168.2.6	0xcde7	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.164891958 CET	1.1.1.1	192.168.2.6	0x3129	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.177310944 CET	1.1.1.1	192.168.2.6	0x8233	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.188510895 CET	1.1.1.1	192.168.2.6	0x687c	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.199948072 CET	1.1.1.1	192.168.2.6	0xf024	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.213144064 CET	1.1.1.1	192.168.2.6	0xd48f	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.223654985 CET	1.1.1.1	192.168.2.6	0xf40f	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.233886957 CET	1.1.1.1	192.168.2.6	0xfdab	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:42:35.244504929 CET	1.1.1.1	192.168.2.6	0xded8	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	104.102.49.254	443	6456	C:\Users\user\Desktop\v3tb7mqP48.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:42:35 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-09 07:42:36 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 09 Jan 2025 07:42:36 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=f25ddf89bd9793abb0eae7c4; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-09 07:42:36 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-09 07:42:36 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	02:42:31
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\v3tb7mqP48.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\v3tb7mqP48.exe"
Imagebase:	0xf10000
File size:	1'883'136 bytes
MD5 hash:	D95295774A298D56818441B8632671FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.3%
Total number of Nodes:	60
Total number of Limit Nodes:	3

Executed Functions

Function 00F1B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`/(), xrefs: 00F1B588
6C(], xrefs: 00F1B382
K{Du, xrefs: 00F1B3DA
?_oY, xrefs: 00F1B389
@w@q, xrefs: 00F1B3E4
Bc*}, xrefs: 00F1B3C6
fWpQ, xrefs: 00F1B397

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: aa07263ee4842eb1028982245f56b3db35f0e0240d9145ab88d55445f52ea8c6
Instruction ID: 8e70c90a2bedd083eda9096a696ffddab1f2bfb0493ad285963f018a6819fc75
Opcode Fuzzy Hash: aa07263ee4842eb1028982245f56b3db35f0e0240d9145ab88d55445f52ea8c6
Instruction Fuzzy Hash: AD127AB5104B05CFD324CF25E891B97BBF6FB48315F148A2CD6AA8BA90D774A406DF90

Function 00F18880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00F18AB8

Strings

6W01, xrefs: 00F189B5

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: ExitProcess
String ID: 6W01
API String ID: 621844428-326071965
Opcode ID: d80b2fd9d884f71d6f1cea803080bdb27c02e24985f01c40b4456ee2a38c3bbf
Instruction ID: f6461154c92e0b3b7137a2270990a3f431b696a2cc23af4858f3e38730bd8904
Opcode Fuzzy Hash: d80b2fd9d884f71d6f1cea803080bdb27c02e24985f01c40b4456ee2a38c3bbf
Instruction Fuzzy Hash: C951AC73A443051BD328AA759C46396BAC78BC1320F1FC5399E95AF3D2ED7C9C0662C2

Function 00F1AA36 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 00F1AA37
MO, xrefs: 00F1A9CF

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 1295b77deb15560c4961e2dbaa2f7829a820b4ab5dd02a5197b47fe209cb97b7
Instruction ID: d813a5fc54e1d491ad1c27fd5216f944fe57e81e9a9446f83b00edb275f8f765
Opcode Fuzzy Hash: 1295b77deb15560c4961e2dbaa2f7829a820b4ab5dd02a5197b47fe209cb97b7
Instruction Fuzzy Hash: 2111CB705453818BEF148F68DE952A7BFA0EF06320F24A988DC465F38BC638C541CF60

Function 00F502C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00F5316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00F502EE

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00F50260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,00F1B9C7,00000000,00000001), ref: 00F50292

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 314d48ba8ffaac17d4411410f25f0b9801f1159dc24b5f8cf28971f13ca16aeb
Instruction ID: ddd1471de7c458180c197846962996f9320496f74b770926a6c17380d84d8c54
Opcode Fuzzy Hash: 314d48ba8ffaac17d4411410f25f0b9801f1159dc24b5f8cf28971f13ca16aeb
Instruction Fuzzy Hash: A8E09B32514711ABC7112B347C19B173A64EFC5713F050834FD0156111DB39F805B692

Function 00F1AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 00F1AB46

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 02d0ca0be176e6bc66f7e1498d07cc89d975148cc16934c964fabc099d575d1b
Instruction ID: 8c15fc2749fddd913741d78a92909c4e210f29f0966a17d68935c9331f431bb0
Opcode Fuzzy Hash: 02d0ca0be176e6bc66f7e1498d07cc89d975148cc16934c964fabc099d575d1b
Instruction Fuzzy Hash: 11E0C2321D430CBBE2087750FD0FD963616BB4230BB044118AE1A50177D5122429B6A2

Function 00F4EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00F502AB,?,00F1B9C7,00000000,00000001), ref: 00F4EB60

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f44a71d51cf7e9eb4cae0aa7ced231b875d06674e9a0a89d492eca51e9887796
Instruction ID: 324a1d7ef82003e64141687cbdcacf7a777233ce6f5fa52a8aec544aa7987c58
Opcode Fuzzy Hash: f44a71d51cf7e9eb4cae0aa7ced231b875d06674e9a0a89d492eca51e9887796
Instruction Fuzzy Hash: D6D0C931445526EBC6112B28BC05BC73B94EF49762F0B08A1F640AA064E765AC91AAD4

Function 00F4EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00F502A0), ref: 00F4EB30

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 52cd6cb2060e25f6cf645238bc54c15aff20b6d2cc4dd5e789d45d00ce0674b2
Instruction ID: 55fce49f238e1757c1caf7bd916285f7cc2b1c272c067d13a72089189fdfb453
Opcode Fuzzy Hash: 52cd6cb2060e25f6cf645238bc54c15aff20b6d2cc4dd5e789d45d00ce0674b2
Instruction Fuzzy Hash: 07C04831046120ABCA206B14EC09BCA3B68EF862A2F0600A5F605660B186A0BC82EA95

Non-executed Functions

Function 00F33EFF Relevance: 70.4, Strings: 56, Instructions: 350COMMON

Download Yara Rule

Strings

>, xrefs: 00F33FEA
r, xrefs: 00F341B4
n, xrefs: 00F33FCE
n, xrefs: 00F34257
p, xrefs: 00F341C2
-, xrefs: 00F341BB
>, xrefs: 00F33F4E
d, xrefs: 00F3423F
?, xrefs: 00F33F42
\, xrefs: 00F34136
f, xrefs: 00F33FEE
x, xrefs: 00F341FA
?, xrefs: 00F34183
~, xrefs: 00F34208
|, xrefs: 00F34216
N, xrefs: 00F34198
V, xrefs: 00F33F52
@, xrefs: 00F34263
q, xrefs: 00F33FDE
1, xrefs: 00F33FC2
b, xrefs: 00F34224
:, xrefs: 00F34253
}, xrefs: 00F34390
@, xrefs: 00F34152
l, xrefs: 00F3425F
7, xrefs: 00F33FD6
h, xrefs: 00F34175
x, xrefs: 00F33F3E
F, xrefs: 00F34160
8, xrefs: 00F33F4A
0, xrefs: 00F33FD2
D, xrefs: 00F3416E
j, xrefs: 00F34247
v, xrefs: 00F341D0
A, xrefs: 00F343AC
Q, xrefs: 00F341C9
0, xrefs: 00F33FE6
t, xrefs: 00F341DE
&, xrefs: 00F3414B
4, xrefs: 00F33FE2
H, xrefs: 00F3418A
&, xrefs: 00F33FCA
N, xrefs: 00F3439E
X, xrefs: 00F3411A
`, xrefs: 00F3422F
B, xrefs: 00F34144
h, xrefs: 00F3424F
/, xrefs: 00F33F46
1, xrefs: 00F33FDA
f, xrefs: 00F34237
^, xrefs: 00F34128
z, xrefs: 00F341EC
J, xrefs: 00F3417C
(, xrefs: 00F341AD
L, xrefs: 00F341A6
2, xrefs: 00F33FC6

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
API String ID: 0-1862720121
Opcode ID: cfd73e8c3e1b536d37726520186baafac54a90f930cdbb44d48f6fe2d0ca53e7
Instruction ID: 11663527b0bbee9214c6d63383374852271a30ad6c394dd47ffb9cd2edc557a6
Opcode Fuzzy Hash: cfd73e8c3e1b536d37726520186baafac54a90f930cdbb44d48f6fe2d0ca53e7
Instruction Fuzzy Hash: F3026121D087D989DB22C67C8C583CDBFA11B63324F1843DDD1E86B3D6D6B90546DB62

Function 00F4A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

o, xrefs: 00F4A7EE
9, xrefs: 00F4A541
:, xrefs: 00F4A509
n, xrefs: 00F4A7E7
c, xrefs: 00F4A79A
k, xrefs: 00F4A7D2
{, xrefs: 00F4A628
M, xrefs: 00F4A6A6
i, xrefs: 00F4A7C4
y, xrefs: 00F4A61A
s, xrefs: 00F4A5F0
G, xrefs: 00F4A67C
>, xrefs: 00F4A764
0, xrefs: 00F4A936
x, xrefs: 00F4A533
<, xrefs: 00F4A75B
e, xrefs: 00F4A7A8
c, xrefs: 00F4A580
i, xrefs: 00F4A5AA
g, xrefs: 00F4A59C
=, xrefs: 00F4A517
m, xrefs: 00F4A7E0
a, xrefs: 00F4A572
C, xrefs: 00F4A660
k, xrefs: 00F4A5B8
q, xrefs: 00F4A5E2
g, xrefs: 00F4A7B6
+, xrefs: 00F4A55D
}, xrefs: 00F4A636
A, xrefs: 00F4A652
L, xrefs: 00F4A69F
3, xrefs: 00F4A54F
E, xrefs: 00F4A66E
e, xrefs: 00F4A58E
a, xrefs: 00F4A78C
m, xrefs: 00F4A5C6
u, xrefs: 00F4A5FE
w, xrefs: 00F4A60C
%, xrefs: 00F4A525
o, xrefs: 00F4A5D4
D, xrefs: 00F4A4FB
I, xrefs: 00F4A68A
K, xrefs: 00F4A698

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 00c75bbb8087f53af7a14a907b8cfbab89a899645532c20d51975eeb979856c6
Instruction ID: f616770cd20d7ddf82816130b531ae7ad55f701d4f9aa6b1613c1a4b9482aa67
Opcode Fuzzy Hash: 00c75bbb8087f53af7a14a907b8cfbab89a899645532c20d51975eeb979856c6
Instruction Fuzzy Hash: 11F170319086E98ADB32C63C8C443DDBFB15B52324F0843D9D4A9AB3D2D6754F86DB62

Function 00F49923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

G, xrefs: 00F49AD7
x, xrefs: 00F49B7F
F, xrefs: 00F49AC7
s, xrefs: 00F49B4F
=, xrefs: 00F49A1D
r, xrefs: 00F49BB7
*, xrefs: 00F49A7F
], xrefs: 00F49ACF
U, xrefs: 00F49AFF
j, xrefs: 00F49B1F
t, xrefs: 00F49B5F
<, xrefs: 00F49A0F
1, xrefs: 00F499BB
I, xrefs: 00F49D0E
T, xrefs: 00F49BCF
-, xrefs: 00F499AD
f, xrefs: 00F49E23
i, xrefs: 00F49B2F
_, xrefs: 00F49ABF
S, xrefs: 00F49A8F
e, xrefs: 00F49E1C
F, xrefs: 00F49A97
$, xrefs: 00F499E5
{, xrefs: 00F49B77
w, xrefs: 00F49B17
7, xrefs: 00F49A71
4, xrefs: 00F49DFF
5, xrefs: 00F499D7
O, xrefs: 00F49D16
2, xrefs: 00F49A55
Y, xrefs: 00F49AE7
j, xrefs: 00F49B37
=, xrefs: 00F49B8F
c, xrefs: 00F49B07
i, xrefs: 00F49B6F
=, xrefs: 00F49A01
S, xrefs: 00F49D26
Z, xrefs: 00F49AF7
H, xrefs: 00F49AEF
~, xrefs: 00F49B3F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: 3d18270adbd7827a3288796f8a9092506f9ada85b2a8b2b9894ed81a8caa80b3
Instruction ID: b3b996b566d24b58cbee30c932d089bd9038d3428dce76c37b46234aef49cd4a
Opcode Fuzzy Hash: 3d18270adbd7827a3288796f8a9092506f9ada85b2a8b2b9894ed81a8caa80b3
Instruction Fuzzy Hash: 22225021D087EA89DB32C67C8C483CEBE615B67224F1843D9D4F86B3D2C7750A46DB66

Function 00F4B870 Relevance: 21.9, APIs: 2, Strings: 10, Instructions: 888COMMON

Download Yara Rule

Strings

e?^, xrefs: 00F4BC4F
96, xrefs: 00F4BE52
:;$%, xrefs: 00F4C2EC
[&h$, xrefs: 00F4BE32
M, xrefs: 00F4BB5B
F*R(, xrefs: 00F4BE2A
#~|, xrefs: 00F4B89D
k"@ , xrefs: 00F4BE3A
n:T8, xrefs: 00F4BE4A
#~|, xrefs: 00F4B8A7

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 0-2807872674
Opcode ID: 31062a5215aa4a6863ee58e1b021c10247b9d7799440a440b937a66e913daaa2
Instruction ID: 0eded53ec1f04a564db62bfc940270841f552cfc15109a0b239a1a77fb8714aa
Opcode Fuzzy Hash: 31062a5215aa4a6863ee58e1b021c10247b9d7799440a440b937a66e913daaa2
Instruction Fuzzy Hash: C3521172A093408BD714CF28C8917ABFBE1EFC5314F189A2DE99587391D774D806DB92

Function 00F35100 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 481COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00F351AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00F35243

Strings

.T'j, xrefs: 00F353BB
%\)R, xrefs: 00F353AB
+$e, xrefs: 00F351F2
+$e, xrefs: 00F35165, 00F3517A
C`<f, xrefs: 00F353D3
:@&F, xrefs: 00F35393
XY, xrefs: 00F35146
?P:V, xrefs: 00F353B3
1D6Z, xrefs: 00F3539B
,X*^, xrefs: 00F353A3

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY
API String ID: 237503144-4169835429
Opcode ID: cd9831a906e4064d65f0421100f1adff090e167ebaedf3fd3a774f51e684207c
Instruction ID: cf386bd26a8ad8760c7397b9c3b85dfaf3c62fed44c9487757c6e0e4c7a496cb
Opcode Fuzzy Hash: cd9831a906e4064d65f0421100f1adff090e167ebaedf3fd3a774f51e684207c
Instruction Fuzzy Hash: 97F1DDB1608344DFD314DF68D89166BBBE0EFC5724F14892CE6958B391E7B8C906DB82

Function 00F29840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00F29CE7
FreeLibrary.KERNEL32(?), ref: 00F29D24

Part of subcall function 00F502C0: LdrInitializeThunk.NTDLL(00F5316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00F502EE

Strings

~|, xrefs: 00F29B2E
if, xrefs: 00F29B1C
vt, xrefs: 00F29AFC
tj, xrefs: 00F29BBA
pv, xrefs: 00F29BB2
#v, xrefs: 00F29CE7, 00F29D24
SP, xrefs: 00F29BF2

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$#v$pv$tj$vt
API String ID: 764372645-1058522317
Opcode ID: 884c8ac764e7c131058b1ef6a707fb6b222ed7ff7d4ca5c61dcdae795d98c096
Instruction ID: 0271d1212a549169626f37872f4bb4d55e3ed6ef3ab4e1d5ee6c43638ec713e1
Opcode Fuzzy Hash: 884c8ac764e7c131058b1ef6a707fb6b222ed7ff7d4ca5c61dcdae795d98c096
Instruction Fuzzy Hash: 1462F770A083209FE724CB14EC9172BB7E2EFC4724F18851CF5D5972A1E775AC45AB92

Function 00F35D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

Wdz, xrefs: 00F36396
8I>K, xrefs: 00F36858
$@7F, xrefs: 00F3633C
&$, xrefs: 00F366A0
+\1R, xrefs: 00F3635A
2E1G, xrefs: 00F36876
T`Sf, xrefs: 00F3638C
(X#^, xrefs: 00F36350
4D2Z, xrefs: 00F36346
-T,j, xrefs: 00F3636E
qs, xrefs: 00F35E96
uVw, xrefs: 00F35EA0

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: 0dc4c927c35c5d37a25aeed7c73d8bbf76c81a61fcd0d575d96977211cb7277c
Instruction ID: 04d3c4ce89b50d8c9aa808c48d5a34fa70562eb4a77033629de4dcea16c441cc
Opcode Fuzzy Hash: 0dc4c927c35c5d37a25aeed7c73d8bbf76c81a61fcd0d575d96977211cb7277c
Instruction Fuzzy Hash: 767272B4905269CFDB24CF55D880BDDBBB2FB46300F1581E8C5496B362DB749A86CF80

Function 00F27405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

~, xrefs: 00F28158
5&'d, xrefs: 00F275E5
O, xrefs: 00F27625

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: 3adf5d7d1ac588c01630155b3023692fcd2dda3fa07efec8a45e3fd988177211
Instruction ID: b386e426225ad3b9438540b27b2b932c4a3320dc519d133d81415fcdf51ba8a1
Opcode Fuzzy Hash: 3adf5d7d1ac588c01630155b3023692fcd2dda3fa07efec8a45e3fd988177211
Instruction Fuzzy Hash: 0A82287190C3618FC724DF28D8917ABB7E1FF99324F188A6CE4C59B291E7389901DB52

Function 010DBE74 Relevance: 13.0, Strings: 9, Instructions: 1704COMMON

Download Yara Rule

Strings

aC__, xrefs: 010DD0F0
^~g/, xrefs: 010DC1EE
!'wx, xrefs: 010DC0EF
=(|, xrefs: 010DC409
2T$}, xrefs: 010DCBB9
(2.D, xrefs: 010DC84C
9 wg, xrefs: 010DC7E7
):/n, xrefs: 010DD2B3
@_ x, xrefs: 010DC005

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: !'wx$(2.D$):/n$2T$}$9 wg$=(|$@_ x$^~g/$aC__
API String ID: 0-4158214308
Opcode ID: 7486be808bac6d68c61b2ba35c835d967e9ca39f5321ba0ac164f38cefeb84f9
Instruction ID: ebd5631cc25a6bb8eb3316e3cba26e1db2d043938994cf16fc8855fda7014244
Opcode Fuzzy Hash: 7486be808bac6d68c61b2ba35c835d967e9ca39f5321ba0ac164f38cefeb84f9
Instruction Fuzzy Hash: 05B25BF360C2049FE304AE2DEC8567ABBE5EFD4320F16863DE6C5C7744EA3598058696

Function 00F357E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00F358F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00F3595D

Strings

B"@, xrefs: 00F35818
`J/H, xrefs: 00F35826
=^"\, xrefs: 00F35ABF
)RSP, xrefs: 00F359A1
rp, xrefs: 00F35834

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: 913a9b5e6616bce1044b208fb5cfa437e4efb5eb28d7570c4576df0820cd0810
Instruction ID: 5723e15695a30d5c02e911879e71e86e3b6aed8d4dd18cfc709d493cd91210e4
Opcode Fuzzy Hash: 913a9b5e6616bce1044b208fb5cfa437e4efb5eb28d7570c4576df0820cd0810
Instruction Fuzzy Hash: 94A121B2E44318CFDB14CFA8DC827EEBBB1FB84324F154168E515AB291D7B59902CB90

Function 00F25720 Relevance: 11.8, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

DASS, xrefs: 00F2629C
a, xrefs: 00F263D3
NR@:, xrefs: 00F26291
9?4<, xrefs: 00F26345
L, xrefs: 00F262B2
R(RW, xrefs: 00F26265
F2}0, xrefs: 00F25A76
BYQZ, xrefs: 00F26286

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: 97b6b5c8c01132e35a8567521fef3ae4b41a178ad1ab0585d1db0ad1456c53d0
Instruction ID: d8746a6c557f40573fea9cd5d023fce3bd3deff9ffee5fad91b567f2604d33eb
Opcode Fuzzy Hash: 97b6b5c8c01132e35a8567521fef3ae4b41a178ad1ab0585d1db0ad1456c53d0
Instruction Fuzzy Hash: 3DC22672A083509FD720DF28DC957ABB7E1FF85314F18892CE5C99B291EB349845DB82

Function 00F2C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,\/b, xrefs: 00F2C912
C`6f, xrefs: 00F2C919
+P%V, xrefs: 00F2C8FD
C`6f, xrefs: 00F2C73C, 00F2CBB1, 00F2CC7D
2T'Z, xrefs: 00F2C904
*H%N, xrefs: 00F2C8EF
4D"J, xrefs: 00F2C8E8
,X0^, xrefs: 00F2C90B

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: b1d8bf9728978b1f5ca9769a781b641018b6a8d1766dd4758aa56193e368a45b
Instruction ID: a60a4b874a3cf166c9f8fa075d6fc93e021fa14e99631bfbcc18ddc07a5b972b
Opcode Fuzzy Hash: b1d8bf9728978b1f5ca9769a781b641018b6a8d1766dd4758aa56193e368a45b
Instruction Fuzzy Hash: A632F4B1D002258BCB24CF24C8927ABB7B2FF95324F28825CD8456F395E775A942DBD1

Function 00F30D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

"G3A, xrefs: 00F31026
?S2], xrefs: 00F30F4E
2W<Q, xrefs: 00F30F46
%K9U, xrefs: 00F30F3E
<O)I, xrefs: 00F30F36
?_%Y, xrefs: 00F30F56
>C;M"G3A, xrefs: 00F311E3
>C;M, xrefs: 00F30F2E

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: c12c17dc14ffb7e5f77799b1001b7989ab1dc95ce8eb472c5a9d334e5d02af6e
Instruction ID: 6657428437e9498cda84ea6918befbda34956da801cd717629e7c511569a2552
Opcode Fuzzy Hash: c12c17dc14ffb7e5f77799b1001b7989ab1dc95ce8eb472c5a9d334e5d02af6e
Instruction Fuzzy Hash: 12E1F0B59083108BC328DF64C89276BB7F1FFD6364F098A1CE4968B394E7349945DB92

Function 00F37860 Relevance: 9.2, Strings: 7, Instructions: 409COMMON

Download Yara Rule

Strings

/), xrefs: 00F37944
JW, xrefs: 00F379BD
bX_^, xrefs: 00F37C10, 00F37C14, 00F37D78
3=, xrefs: 00F3795C
]_, xrefs: 00F379C8
J+, xrefs: 00F379D3
+5, xrefs: 00F3794C

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: J+$JW$]_$bX_^$+5$/)$3=
API String ID: 0-614990452
Opcode ID: b661d5c6f2f17acd8a304a0ce92615a074cfa384c2f26785bd40331a51c7ee0c
Instruction ID: 46bde2c329524278acdb5d7861f339bbcc4dbfa3c54e28bb8f3f1364f1d7c0e9
Opcode Fuzzy Hash: b661d5c6f2f17acd8a304a0ce92615a074cfa384c2f26785bd40331a51c7ee0c
Instruction Fuzzy Hash: 9ED1DCB560C344DFE7289F24D881B6BB7A2FBC5311F54892CF2858B291EB749805EB52

Function 010E0F79 Relevance: 9.1, Strings: 6, Instructions: 1621COMMON

Download Yara Rule

Strings

#Wz, xrefs: 010E1C42
a/mX, xrefs: 010E1CEE
n_, xrefs: 010E188E
B9{~, xrefs: 010E17EC
Zj~c, xrefs: 010E224D
!3_?, xrefs: 010E18F8

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: !3_?$#Wz$B9{~$Zj~c$a/mX$n_
API String ID: 0-3439657455
Opcode ID: 20ee354204b80ddc6571b7eafa4c9aae8527fb072daf0bc4e3ad1caa306b2422
Instruction ID: e128309dacb1e3226ae3e65a62e04fe45c053608af882f7177043113839a813f
Opcode Fuzzy Hash: 20ee354204b80ddc6571b7eafa4c9aae8527fb072daf0bc4e3ad1caa306b2422
Instruction Fuzzy Hash: 17B21AF3A0C2049FE7046E2DEC8567AFBE5EF94320F16463DEAC4C3744E67598058696

Function 010D1DF4 Relevance: 9.1, Strings: 6, Instructions: 1595COMMON

Download Yara Rule

Strings

4}J, xrefs: 010D21B5
Z/N|, xrefs: 010D1FBD
<;G, xrefs: 010D2457
R-E, xrefs: 010D1F33
6^~, xrefs: 010D2AEA
mDKq, xrefs: 010D3145

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: <;G$4}J$6^~$R-E$Z/N|$mDKq
API String ID: 0-2139206399
Opcode ID: eeb47aa63e9eefdb4315e76f838d1ba04b5a86124c2182febc613f1c8e219d39
Instruction ID: ebd2175fcb0663a8cc804026aade67ca361ba44d60db0393b867dc042eb49dd6
Opcode Fuzzy Hash: eeb47aa63e9eefdb4315e76f838d1ba04b5a86124c2182febc613f1c8e219d39
Instruction Fuzzy Hash: 4EB2D6F360C6009FE304AE2DEC8567ABBE5EFD4720F1A853DEAC487744EA3558058697

Function 010D5413 Relevance: 9.0, Strings: 6, Instructions: 1538COMMON

Download Yara Rule

Strings

rKkt, xrefs: 010D58EF
1NaW, xrefs: 010D58E0
Lw_, xrefs: 010D5B97
?jb1, xrefs: 010D5ED3
=i7E, xrefs: 010D6304
"Ajo, xrefs: 010D63C2

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: "Ajo$1NaW$=i7E$?jb1$rKkt$Lw_
API String ID: 0-2372187023
Opcode ID: b6c1bfd9b9ef7bceb0e91364200f2d1fbec0726bd9d230f5d1840b0d381d2f66
Instruction ID: fcf7f228ddaf3e5b97b63abf124319644d5da821a6dec37e97bfc2705a876500
Opcode Fuzzy Hash: b6c1bfd9b9ef7bceb0e91364200f2d1fbec0726bd9d230f5d1840b0d381d2f66
Instruction Fuzzy Hash: F8B206F360C3049FE304AE29EC8567AFBE5EF94720F16893DE6C483744EA3558458697

Function 010D3D54 Relevance: 8.8, Strings: 6, Instructions: 1253COMMON

Download Yara Rule

Strings

3mkv, xrefs: 010D459C
0U;w, xrefs: 010D4714
Q\{, xrefs: 010D3FAB
>F1{, xrefs: 010D3D7C
+Cyo, xrefs: 010D4B85
3mkv, xrefs: 010D45B9

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: +Cyo$0U;w$3mkv$3mkv$>F1{$Q\{
API String ID: 0-849906423
Opcode ID: 8dfb98842009b28ade6ec05b5f4b39a9963a7626fc6547d862c41885d329e3ab
Instruction ID: 039c2e1183971056611ada6919ca798b535ca43b888ad165fc37c0d90e24755e
Opcode Fuzzy Hash: 8dfb98842009b28ade6ec05b5f4b39a9963a7626fc6547d862c41885d329e3ab
Instruction Fuzzy Hash: C48208F350C204AFE304AE2DEC8567ABBE9EF94760F1A453DEAC5C7340E63598058697

Function 00F1AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

Ds, xrefs: 00F1AEE8
]f, xrefs: 00F1B021, 00F1B025
}v, xrefs: 00F1AED8
8)*6, xrefs: 00F1B25C, 00F1B064, 00F1B229, 00F1B232, 00F1B1B7, 00F1B1C3, 00F1B215, 00F1B084
:33F, xrefs: 00F1B0A4
8)*6, xrefs: 00F1B0B0

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 68f1e84251b890c0b2b13a1bce86bf8ae1ac984e152635b8b951c6455fee39a7
Instruction ID: 4b708ed7bd88805d4664a57952b34c07274ae2a9dbe44edc981fd1d9b470c4e3
Opcode Fuzzy Hash: 68f1e84251b890c0b2b13a1bce86bf8ae1ac984e152635b8b951c6455fee39a7
Instruction Fuzzy Hash: 36B1367560C3808BC325CF6884647EFBBE1AFC6324F18882CE8D59B351D375894ADB96

Function 010DDA69 Relevance: 7.8, Strings: 5, Instructions: 1572COMMON

Download Yara Rule

Strings

S>_], xrefs: 010DEA1D
QNg, xrefs: 010DE50E
UW~=, xrefs: 010DDB6A
Fv\l, xrefs: 010DEA5A
D-{, xrefs: 010DDB2A

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: D-{$Fv\l$QNg$S>_]$UW~=
API String ID: 0-293379994
Opcode ID: 8df78a6f9116becf369479830fb4fb87f0afc9431f42c1bf80aec46f0249441d
Instruction ID: 28a3291ab138c53f03adf069f52d1a173b6a205009da57d03ad322bea7a15a75
Opcode Fuzzy Hash: 8df78a6f9116becf369479830fb4fb87f0afc9431f42c1bf80aec46f0249441d
Instruction Fuzzy Hash: 19B204F360C2049FE7086E2DEC8567ABBE5EF94320F1A893DE6C5C7744E63598058687

Function 00F35AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00F35BBD
=^"\, xrefs: 00F35ABF
C@, xrefs: 00F35C40
)RSP, xrefs: 00F359A1
B:, xrefs: 00F35C36
K3, xrefs: 00F35C4A

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: 087d2f74cb7f3d8872f9deeb5d3ef4957c1ce207ec6b7f22ecc3a522952f615b
Instruction ID: 760d515b5c2b0d84bf52589ac48f17b45c5433104126bb843fe379267fcbb6d9
Opcode Fuzzy Hash: 087d2f74cb7f3d8872f9deeb5d3ef4957c1ce207ec6b7f22ecc3a522952f615b
Instruction Fuzzy Hash: 7DB112B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E518AB351D77859468FD1

Function 010E2B9E Relevance: 7.7, Strings: 5, Instructions: 1498COMMON

Download Yara Rule

Strings

tjn, xrefs: 010E3CE6
>/W, xrefs: 010E32CF
MHmk, xrefs: 010E2F8F
}D}/, xrefs: 010E2BEA
:u[a, xrefs: 010E2C3C

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: :u[a$>/W$MHmk$}D}/$tjn
API String ID: 0-1239054787
Opcode ID: da529e268b596fa6a5c084fbe742db8da8ce02d703a6150d6261221b3a801b06
Instruction ID: 16e80dbb564880f1c26319bd9a3c993bc4b68d47ae68c82038ec0d37d7b20458
Opcode Fuzzy Hash: da529e268b596fa6a5c084fbe742db8da8ce02d703a6150d6261221b3a801b06
Instruction Fuzzy Hash: 4FA207F360C2049FE304AE2DEC85A7ABBE9EFD4720F16493DE6C4C3744EA7558058696

Function 00F4F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

S"(w, xrefs: 00F4F44C
d5fg, xrefs: 00F4F1B0, 00F4F195
d5fg, xrefs: 00F4F1EF
f, xrefs: 00F4F3AD
S"(w, xrefs: 00F4F220

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-2961185688
Opcode ID: 02239384c6c25d97c023475815c8ce2795f8473775557a4418305778d06be80d
Instruction ID: 37687471ccad9ecdecf66cd41b051fc2bb3cf19c8d4cd284d8f47e1b6b49d6f1
Opcode Fuzzy Hash: 02239384c6c25d97c023475815c8ce2795f8473775557a4418305778d06be80d
Instruction Fuzzy Hash: 9A12D671A093519FC324CF18C880B2BBBE1AFC5324F19863DE9A9573A1D775DC099B92

Function 00F38437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

H}}C, xrefs: 00F38850
LMR|, xrefs: 00F38848
"#, xrefs: 00F38B43
vu~r, xrefs: 00F38868
J'N!, xrefs: 00F38B3B

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: 71414499164431096fbc8317847acb312842b284bd6a76782134632040900890
Instruction ID: b4ef7fcbe302ce1b3e5c196b46be023adefc526d31c0ded7a100cd48c9db2c65
Opcode Fuzzy Hash: 71414499164431096fbc8317847acb312842b284bd6a76782134632040900890
Instruction Fuzzy Hash: 28E14BB150C381CFC714CF2898812ABB7E1AF86365F18486DF9C587342DB79D90ADB92

Function 00F142B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

IHDR, xrefs: 00F146AC
IEND, xrefs: 00F1478F
), xrefs: 00F1432D
), xrefs: 00F14337
IDAT, xrefs: 00F1471B

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 360c3333ae74d1c73cb959e976406c084943882ede1bc91a90a00a0315767d94
Instruction ID: 16d0fc1c94fd1ef299750b15c2ace86973a7cc408863e9f7ccd3a0401df2e545
Opcode Fuzzy Hash: 360c3333ae74d1c73cb959e976406c084943882ede1bc91a90a00a0315767d94
Instruction Fuzzy Hash: FD0205715083849FD704CF29D8907AABBE1FFC5314F04862DE9858B392D379E949EB92

Function 00F192A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

C, xrefs: 00F1960D
#"2., xrefs: 00F193C2
P, xrefs: 00F1948B
RRP\, xrefs: 00F1973E
!oW1, xrefs: 00F193CA

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 733ee7fe0d953bc5c2f79d2f00f6c9f7bcb07914854a23b3b7d09e777c691039
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: 45C1277161C3914BD3258F29C4A03ABBFE2AFD3314F18896DE4D44B386D379854ADB92

Function 00F39FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

d~`}, xrefs: 00F3A35B
sf, xrefs: 00F3A36B
lvhu, xrefs: 00F3A34B
ooKv, xrefs: 00F3A363
,fbV, xrefs: 00F3A353

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: df3ff67810fb3820d40bcdf6be5a759b9e06967af82ca7cf692d2f92e17b7a6f
Instruction ID: 66bf0ad8322e677c05374959c507f93230af9cbc85213cbc5de4e01f766ef1b8
Opcode Fuzzy Hash: df3ff67810fb3820d40bcdf6be5a759b9e06967af82ca7cf692d2f92e17b7a6f
Instruction Fuzzy Hash: C9E128B290C3418FD724CF29C8917AFB7E2AFD1314F08896CE5D587252E679E908D792

Function 00F1D545 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

9Y, xrefs: 00F1D854
&W-Q, xrefs: 00F1D7B9
?C*], xrefs: 00F1D7A4
|qay, xrefs: 00F1D641
~wxH, xrefs: 00F1D64F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 0-1959178137
Opcode ID: b29705956ab1baefdec65945f10ff70bfca187adad671b84f6e89972ed0e3374
Instruction ID: 7f402f67e6e962e2e8743ac1613b94e8c34bbbeafeeb1fdf850030be285b2fea
Opcode Fuzzy Hash: b29705956ab1baefdec65945f10ff70bfca187adad671b84f6e89972ed0e3374
Instruction Fuzzy Hash: C0B105756047918BD725CF2AC4E07A2BBF2FF96310B18C1ACC4D64BB46D738A846DB91

Function 010E4509 Relevance: 6.6, Strings: 4, Instructions: 1580COMMON

Download Yara Rule

Strings

OFb., xrefs: 010E45B5
.], xrefs: 010E500A
AZ~|, xrefs: 010E4DF6
JKg,, xrefs: 010E5689

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: .]$AZ~|$JKg,$OFb.
API String ID: 0-2609359700
Opcode ID: 8411a3a17cd839ac2460ebcf67356a4198361767891af3329e70ea5240a271a5
Instruction ID: ab25315e9fba757ebc24d22f0c19d5f1255312b8df0fe5c8d1e80efe061f7cbb
Opcode Fuzzy Hash: 8411a3a17cd839ac2460ebcf67356a4198361767891af3329e70ea5240a271a5
Instruction Fuzzy Hash: D0B2E3F360C2049FE304AE2DEC8567ABBE9EF94320F16893DE6C4C3744E67598458796

Function 00F19790 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

*+, xrefs: 00F19B1E
{u, xrefs: 00F19A7E
nz, xrefs: 00F198E3
kh, xrefs: 00F19BE3

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: *+$kh$nz${u
API String ID: 0-424779605
Opcode ID: cd1990cb6dc354c3eebcd306a3c9f6777ec193e886fb4b1bc983a57dd857da37
Instruction ID: 6f7a1fad4baa9d948b99955ef0e4710738c20eb7e79b801135e61731f4d63347
Opcode Fuzzy Hash: cd1990cb6dc354c3eebcd306a3c9f6777ec193e886fb4b1bc983a57dd857da37
Instruction Fuzzy Hash: 6ED115716083508BD724DF34C861BABBBE2EFC1314F18896CE5D58B391D678C54ACB86

Function 00F3FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

t, xrefs: 00F3FCCC
_Pna, xrefs: 00F3FD26
BVAI, xrefs: 00F3FF6A
mc, xrefs: 00F3FDF9

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: b670f054c59b8f4d5ce99bd1afd50334994ba10c7c811e1ec13f524ed6220f46
Instruction ID: 67454ef40053cd5a06fb80245435f6648d2fd1c11516b61b64d86b7058bc672f
Opcode Fuzzy Hash: b670f054c59b8f4d5ce99bd1afd50334994ba10c7c811e1ec13f524ed6220f46
Instruction Fuzzy Hash: 95A1F47090C3C18BE739CF2580103ABBBE1AFD7324F18896DD0D997282D779814ADB56

Function 00F3EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

0, xrefs: 00F3ED00
D, xrefs: 00F3ED68
8<j?, xrefs: 00F3ED50
4b, xrefs: 00F3EDDA

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: 6b5a9b896f96a0dd6ffb9d63f388875ed500b9d9bbac8029897c2c236c711af1
Instruction ID: 75baeb4e604ca941a37e941350d7e6bbeab5330c089a434f9c137bdb258317cc
Opcode Fuzzy Hash: 6b5a9b896f96a0dd6ffb9d63f388875ed500b9d9bbac8029897c2c236c711af1
Instruction Fuzzy Hash: 3F91086160C3818BD718CF39886137BFBD19FD6325F29896DE4D6CB2D1D238C8499712

Function 00F3A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

v, xrefs: 00F3ADD1, 00F3AE5D, 00F3AD90, 00F3AE45, 00F3AB80, 00F3AC4B, 00F3AC34, 00F3ABC1
bt, xrefs: 00F3AE84
zi, xrefs: 00F3AE8C
v, xrefs: 00F3ACB0

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: 19160b74a0f8ef07f2a9fcf59dbf6d57a6d0c1e970c39120811ea1350d229dc9
Instruction ID: 2a950ddcda7055dcbeba89d1cda3cac786ee148cce432749bc8acf1f20802fea
Opcode Fuzzy Hash: 19160b74a0f8ef07f2a9fcf59dbf6d57a6d0c1e970c39120811ea1350d229dc9
Instruction Fuzzy Hash: 82D1787260C3558FD725CF29D44068FFBE6EBC4314F06892DE8E99B281D774D60A8B86

Function 00F2BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

WT, xrefs: 00F2BD39
9HiN, xrefs: 00F2BD21
,D,J, xrefs: 00F2BD19
'P0V, xrefs: 00F2BD31

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 41f62a015abecb4c93ebb7a6fd71e70754b8ef9c0f585134bc74166a616e6e20
Instruction ID: 4f09470148cad4c2d67f2055663e293cb702f8adb69b74f7e7c8b7f48979685d
Opcode Fuzzy Hash: 41f62a015abecb4c93ebb7a6fd71e70754b8ef9c0f585134bc74166a616e6e20
Instruction Fuzzy Hash: D3B1F2766493659BD304CF66DC802AFBBE2FBC1314F098D2CE5985B341D779890A9B82

Function 00F28A7A Relevance: 4.4, Strings: 3, Instructions: 622COMMON

Download Yara Rule

Strings

+, xrefs: 00F28DD8
<, xrefs: 00F2913F
jjj, xrefs: 00F28AB8

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: +$<$jjj
API String ID: 0-4032814411
Opcode ID: d089d30f79c84f5ba71f0d3c1d62b56341ff2d673d81c44d7b6ccddceade8b02
Instruction ID: bec8aeea1d01c3bfea642ae6ec3d76338385b15873d2adfb04209ab0333cd534
Opcode Fuzzy Hash: d089d30f79c84f5ba71f0d3c1d62b56341ff2d673d81c44d7b6ccddceade8b02
Instruction Fuzzy Hash: 2C024971609360CFC728CF28E89076BB7E1FF85361F19496DE4C697291DB349806EB92

Function 00F31E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

defgau`c, xrefs: 00F31FCA
(ijkdefgau`c, xrefs: 00F31FBE
au`c, xrefs: 00F31FC6

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 417be931a8213e2847a685a7c0d9ab75eb8f0846b37abef959b1623d2869777c
Instruction ID: 60275026440725f6b2b9d69e9f754df92b4d25fed0833d0c1677d6db75345131
Opcode Fuzzy Hash: 417be931a8213e2847a685a7c0d9ab75eb8f0846b37abef959b1623d2869777c
Instruction Fuzzy Hash: 86D1DDB1A083409BD754DF28C891B6BBBE1FFC5364F18892CE9868B391E775D805CB52

Function 00F44CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

$, xrefs: 00F44DE6
., xrefs: 00F44DE2
K, xrefs: 00F44DDE

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: 626b2c4a3802a2ab53b54c5962b9cea3fa75b37d920ee5de90e781e0507e7769
Instruction ID: c005cc8786855e9d57ad5ff82ba2aec369bb3450ef92bffcba87391a1a208401
Opcode Fuzzy Hash: 626b2c4a3802a2ab53b54c5962b9cea3fa75b37d920ee5de90e781e0507e7769
Instruction Fuzzy Hash: 93029E71614BC08BE3158F3DC891352BFE2AB56304F0CC9AED4DACB787C269E5458B65

Function 00F3EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 00F3ED68
8<j?, xrefs: 00F3ED50
4b, xrefs: 00F3EDDA

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 8da6079e87a2527f99c511a9769d0991d15c068600f2b09256c133990ea03657
Instruction ID: d6569d30ddb76797340ccbae1170b8e7cb4d870c7f028dcf29f91889069d23c5
Opcode Fuzzy Hash: 8da6079e87a2527f99c511a9769d0991d15c068600f2b09256c133990ea03657
Instruction Fuzzy Hash: E681F96160C3818BD718CF39886136BBFD19FD6325F28896DE4D68B2C1D278C4469756

Function 00F3EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 00F3ED68
8<j?, xrefs: 00F3ED50
4b, xrefs: 00F3EDDA

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: e645f16886e30c26a49b828cc0999c77c389975d15f2d6266e5e0128c58af506
Instruction ID: e32b21bc186e498b30474c4b90f3e7d2a6fc8a5851a1e4a91ef92818563e7360
Opcode Fuzzy Hash: e645f16886e30c26a49b828cc0999c77c389975d15f2d6266e5e0128c58af506
Instruction Fuzzy Hash: 1C81096160C3818BD719CF3988A137AFFD19FD6325F2D896DE4D28B2C1D278C44A9716

Function 010D0382 Relevance: 4.1, Strings: 2, Instructions: 1557COMMON

Download Yara Rule

Strings

;xx, xrefs: 010D11AE
GI/y, xrefs: 010D0AC6

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: ;xx$GI/y
API String ID: 0-3218357727
Opcode ID: 30bb54daac709460ffe16120803dc44785a071216c383936b4bec953f3c590d1
Instruction ID: 64dcb8487202c14c33423a70ccdb4ea52ad5041ea94d2fe078ce71f7d60ee931
Opcode Fuzzy Hash: 30bb54daac709460ffe16120803dc44785a071216c383936b4bec953f3c590d1
Instruction Fuzzy Hash: 8DB212F3908204AFE3046E2DEC8567AFBE9EF94720F1A493DEAC487744E63558058797

Function 00F18F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

Z, xrefs: 00F190E8
ut, xrefs: 00F190E1
#=0, xrefs: 00F18FC5

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 12566d064a628803ca9d793cc118a5e1f962a4de7d2d09140521b9e4ff76bb92
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 2981163150C3829AD7058F39C4603ABFFE1AFA3314F1849ADD4D19B386D679C54AD792

Function 00F3EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

D, xrefs: 00F3ED68
8<j?, xrefs: 00F3ED50
4b, xrefs: 00F3EDDA

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 0aba11173a94512ac4c849ba96199dbeb480a53d205e2805fc9febf3d72bc314
Instruction ID: d175701f40c1f9eeac9cf8502f53b7624ca386f7d99fd7bc440d80565e130172
Opcode Fuzzy Hash: 0aba11173a94512ac4c849ba96199dbeb480a53d205e2805fc9febf3d72bc314
Instruction Fuzzy Hash: 7381086160C3818BD318CF3988A137AFFD29FD6325F2D896DE4D18B2C1D238C44A9B56

Function 00F52D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00F52D22
NMNO, xrefs: 00F52E20
D`a&, xrefs: 00F52ED5

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: 76968d2a0ee32cd551aa655ab51a3818c420ecba7f318661f8d7ff52d9ecaebc
Instruction ID: 2e48f9cc607a1d3d8b8d3b2a06555d97595cfdb4719f365259c5cbf92c1e1f85
Opcode Fuzzy Hash: 76968d2a0ee32cd551aa655ab51a3818c420ecba7f318661f8d7ff52d9ecaebc
Instruction Fuzzy Hash: 348138317083054FD358DF28DC8166BB7E2EBC5325F29862CEAA54B391DB31D90D9791

Function 00F2825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

7, xrefs: 00F283A3
gfff, xrefs: 00F283EA
), xrefs: 00F2837A

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: a81146b4b58d69ce52d8af26366e7229469e80b76f4aa849b665899a7ad1b1d5
Instruction ID: 480c39339c961077d41f00c3578b09d933ab4229f9fb6521b3593c5591caa49f
Opcode Fuzzy Hash: a81146b4b58d69ce52d8af26366e7229469e80b76f4aa849b665899a7ad1b1d5
Instruction Fuzzy Hash: 5A814672A142658BD324CF28DC427AB77D2EBC8364F18C92DD586DB391EB38D80697C1

Function 00F37133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

FOOE, xrefs: 00F37307
UUQg, xrefs: 00F37323
KGFU, xrefs: 00F37315

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: ec3bf5c8f80772ea916f0fca2b0f687811c1edc794f83309ae60ae726f5e3d8b
Instruction ID: 8749e53fe6ae98b8fadbf6fd59ebec33f9fb3ee4d82bf982099dcc2b1e0c2434
Opcode Fuzzy Hash: ec3bf5c8f80772ea916f0fca2b0f687811c1edc794f83309ae60ae726f5e3d8b
Instruction Fuzzy Hash: E4617CB3E593568FD7309BA8C8402EBFBA2EF55330F194269D8558B382E334D905E790

Function 00F2AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

t]ae, xrefs: 00F2B081
I`af, xrefs: 00F2B038
5230, xrefs: 00F2AFC1

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 0454c6efaf30fa373e005053889f08bf11ae9710f64883ed0a773585dc8459eb
Instruction ID: 62982d2a6cb1083bc09c8fa0c443525970ebfdcbb448333c1810736994a076d7
Opcode Fuzzy Hash: 0454c6efaf30fa373e005053889f08bf11ae9710f64883ed0a773585dc8459eb
Instruction Fuzzy Hash: 7A515672A14B808FD739CF66C991763BBE3BBA1304F18896DC1C287695DAB8A405C700

Function 00F2DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

A, xrefs: 00F2DC18
5230, xrefs: 00F2DB20
1, xrefs: 00F2DBA3

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 52f672c7a3c636b30ad8e506a995c77bdfb7319fc53ccb9d71318157fc91d03c
Instruction ID: 6be48e49b630348ff96a1a4daad97bc02269f611154d2d69bb0490413e9027c0
Opcode Fuzzy Hash: 52f672c7a3c636b30ad8e506a995c77bdfb7319fc53ccb9d71318157fc91d03c
Instruction Fuzzy Hash: EF417C3265C3405AE324AE75DC4676BB6D3EBD1324F18C53DF1D9472C5EAF848069312

Function 00F14DC0 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 00F156DB
8, xrefs: 00F156D3

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 10fee5121709a429bdef4188cc2b4c4732fa048bae2d80d4b42c53889e5d86f0
Instruction ID: 0da8b8ac81f4fc86d88f916578ecfd4b3a99815e79c12ccc3e4350cb91e27aab
Opcode Fuzzy Hash: 10fee5121709a429bdef4188cc2b4c4732fa048bae2d80d4b42c53889e5d86f0
Instruction Fuzzy Hash: 2B723271508340EFD724CF18C880BAABBE1AFD8714F44891DF9998B391D375D998DB92

Function 00F28B23 Relevance: 3.1, Strings: 2, Instructions: 581COMMON

Download Yara Rule

Strings

+, xrefs: 00F28DD8
<, xrefs: 00F2913F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID: +$<
API String ID: 2994545307-366931250
Opcode ID: 04f9f57cfee452c9537fc09e317d7a305ee794faa182809199a961a2b2c79089
Instruction ID: 477d49062fb30c9834f70db9618c87b70ca1874a0ae6786f007dd400a104a62d
Opcode Fuzzy Hash: 04f9f57cfee452c9537fc09e317d7a305ee794faa182809199a961a2b2c79089
Instruction Fuzzy Hash: 52F15971609360CFC728CF28E89036BB7E1BF85361F19496DE4C687291DB349806EB92

Function 00F28B79 Relevance: 3.1, Strings: 2, Instructions: 563COMMON

Download Yara Rule

Strings

+, xrefs: 00F28DD8
<, xrefs: 00F2913F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID: +$<
API String ID: 2994545307-366931250
Opcode ID: 1a770b7c1c91c119f2da364a7534dac2b50eb3bfb002835958f2f28e6dac7ad2
Instruction ID: 91e98363ed660bb64acf88b9fa008933e1b06cffc968891868cfa3862c56c92b
Opcode Fuzzy Hash: 1a770b7c1c91c119f2da364a7534dac2b50eb3bfb002835958f2f28e6dac7ad2
Instruction Fuzzy Hash: A9F14A3160D360CFC724CF28E89076BBBD1BF85361F19496DE4D697291DB349806EB92

Function 00F28BC9 Relevance: 3.0, Strings: 2, Instructions: 548COMMON

Download Yara Rule

Strings

+, xrefs: 00F28DD8
<, xrefs: 00F2913F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID: +$<
API String ID: 2994545307-366931250
Opcode ID: 447949fe8878be5f078249162181e494e12e730c0dfe08e677ae82b24f17fcfc
Instruction ID: 292ad97aa7d4548315e18344d1b22ad2776bb22c22c04dda09a25aacd54c8e75
Opcode Fuzzy Hash: 447949fe8878be5f078249162181e494e12e730c0dfe08e677ae82b24f17fcfc
Instruction Fuzzy Hash: 84E15A3160D360CFC724CF28E89076BBBE1BF85361F19496DE4D687291DB349806EB92

Function 00F28C2A Relevance: 3.0, Strings: 2, Instructions: 520COMMON

Download Yara Rule

Strings

+, xrefs: 00F28DD8
<, xrefs: 00F2913F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: +$<
API String ID: 0-366931250
Opcode ID: dce9a3ab3e95afc7523f6ad3f018ad3b9c7b5e6468e656b310a74345002c70a3
Instruction ID: 47c1d328e9c254ad8b27cfd05b5d367c1d608418cb20c3e8d284a8119b71682e
Opcode Fuzzy Hash: dce9a3ab3e95afc7523f6ad3f018ad3b9c7b5e6468e656b310a74345002c70a3
Instruction Fuzzy Hash: D4E1493150D360CFC724CF28D8907ABBBE2BF85321F19896DE4D697291DB349906DB92

Function 00F3B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

?;;, xrefs: 00F3B3AA
{wBy, xrefs: 00F3B538

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: d3e1861c40dc1d0c1812a5d878f0fd651ce07d0f35bdb85d7eaaa1bc1f95de2b
Instruction ID: ac3204f710fc6e1e534e8019cc92eacbf0474114e9add08a9522a16b4b9454ae
Opcode Fuzzy Hash: d3e1861c40dc1d0c1812a5d878f0fd651ce07d0f35bdb85d7eaaa1bc1f95de2b
Instruction Fuzzy Hash: 58F13271A0C344DFD315DF28D8A172AB7E1AF85325F088A6CF6D6872A2D335D905EB12

Function 00F41E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00F42051
nz, xrefs: 00F4204A

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: 1cd5a095d5e7a6007254b1260b8a81e0033d22b4e29ff53c08b3864e155cb557
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: 7CE12972608B808FD315CB3CC891396BFE2AFDA314F1D866DD5EA8B392D675A406C711

Function 00F37490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 00F375CE
o~, xrefs: 00F375E6

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: 25461eced12ac3aaaa5cd3fece7541b19e41618dbaf2cbbb488519ba86bd5b45
Instruction ID: 5e30213e98ed8617536e4ed68e1861c43f0b9921127636ad033fcc0fc0228168
Opcode Fuzzy Hash: 25461eced12ac3aaaa5cd3fece7541b19e41618dbaf2cbbb488519ba86bd5b45
Instruction Fuzzy Hash: 459148B690C3148BD320DF18C85166BBBE2EFD1324F09892CE9D95B391E7B4C905D786

Function 00FDA93F Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

7ow, xrefs: 00FDAB09
$k<m, xrefs: 00FDAB99

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: $k<m$7ow
API String ID: 0-1533143338
Opcode ID: 92496d5c042f8e4f3245cec2433c32570d57ede52db32cbcfac24e8ac9964965
Instruction ID: 40fad54a9c3ae918576f53a7fbb3cc1dd1b28d2f9026b34a04346cf9338cd6f3
Opcode Fuzzy Hash: 92496d5c042f8e4f3245cec2433c32570d57ede52db32cbcfac24e8ac9964965
Instruction Fuzzy Hash: 0D7136B3A1C2108BE7086E3DEC9573ABBD6EF94720F1A463DDAC5D7784D93948008786

Function 00F38280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 00F382C5, 00F382F6
:7$%, xrefs: 00F38375

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: 6b2dffe9e6dd9aa3e81bbee32b49cdc345472669fd3c14b501affcbc3913ca46
Instruction ID: f4c5eb2874ebd31dd42023376655bb36dd9c3d3aedd921e9dfa76aab180b6e74
Opcode Fuzzy Hash: 6b2dffe9e6dd9aa3e81bbee32b49cdc345472669fd3c14b501affcbc3913ca46
Instruction Fuzzy Hash: 7421D3715083808BD7089B79C965B6FFBE5FBC2318F105A2CE1D287291DBB4C409CB82

Function 00F24C20 Relevance: 2.2, Strings: 1, Instructions: 989COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00F25070

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 96da0f72db051c4977f30ba9e28fabf392f5ea087b9fa9e21a7ce57696d2719e
Instruction ID: 858d874936b69382d1f59e488d3d510f07dc7a03949f8c81435cb0b6cd20de73
Opcode Fuzzy Hash: 96da0f72db051c4977f30ba9e28fabf392f5ea087b9fa9e21a7ce57696d2719e
Instruction Fuzzy Hash: 2E521471A08710DBD714DF28FC9162A73A2FB85325F58452CFA958B2E1E774A805EB81

Function 00F2194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00F21D64

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: b0b2e48a1281bb12c91a718fce28e4c910caf26a7dc676c87667bc2528ce4e45
Instruction ID: 793432b4df29b7320f4e5b06c45fc5d82f01248c7aa93d0f5ad1bcd0a9b95efd
Opcode Fuzzy Hash: b0b2e48a1281bb12c91a718fce28e4c910caf26a7dc676c87667bc2528ce4e45
Instruction Fuzzy Hash: A4422B76A04B408FD714DF38D891366BBE1BF95314F188A3DD4AB8B392D639E446D702

Function 00F4CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 00F4D2AD

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: a92125fadff12cbdb08b6776b06ae5c48f910981db5579c6e340e713c81c48af
Instruction ID: a2e5a910bc5fb6c4c81cf8893a1d6828b3065d7abac4cf3fb7b500eb031da44f
Opcode Fuzzy Hash: a92125fadff12cbdb08b6776b06ae5c48f910981db5579c6e340e713c81c48af
Instruction Fuzzy Hash: 0E322036A18352CBD7049F38D81226BB7E1FF99321F0A887DD9C183291E779CA45D782

Function 00F42426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 00F4249F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: a7342432cbe106ce4fed6e99776be80130a030233e4dc864ceddac12a2b05fd3
Instruction ID: c5f7a0c6bbb887d7b4c4ee6cecad8be6468d559f6a5a56fac79f708609a0c2f1
Opcode Fuzzy Hash: a7342432cbe106ce4fed6e99776be80130a030233e4dc864ceddac12a2b05fd3
Instruction Fuzzy Hash: D3128C71609AC08FE3158B38C891392BFE1AF66304F1CC9ADD4EACB387D63AD5068751

Function 00F32380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 00F323AC

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 3e80220d373d386f77bd7b29b29d357652a12f0cda5dd27f98f84ab7235e0bb6
Instruction ID: 5cc8ee9cf20c0f9a24a31785c5f60f56c19f4444c897d43b58cd68453bc1df7f
Opcode Fuzzy Hash: 3e80220d373d386f77bd7b29b29d357652a12f0cda5dd27f98f84ab7235e0bb6
Instruction Fuzzy Hash: 70A1F372A043109BD760DF28DC9276BB3E0EF81374F18852CE8959B292F339ED45A752

Function 00F4C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00F4C7C0

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 18047d0a1b89d014d41cc3e9dec42a1ac5cd6b53e64bbc8d8b680a6446a564cd
Instruction ID: cb13bc36bc63aaa8240561008c52cd379a35f74e8bf4a8794c4e945ec6f6c894
Opcode Fuzzy Hash: 18047d0a1b89d014d41cc3e9dec42a1ac5cd6b53e64bbc8d8b680a6446a564cd
Instruction Fuzzy Hash: 47A15936A053109FD324CE69CCC172BBBA6EBC5334F19962CED9957291E730AC05ABD1

Function 00F2BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 00F2C360, 00F2C364

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: ce8fe881fa94ca6dca510b767a536cf65a0c1ed728fffdc5dcee291b5785332f
Instruction ID: 437fbbf6050b4fcccecf547fab7981452cf9e32f75d48b4cdc4dcb5275cfa6b9
Opcode Fuzzy Hash: ce8fe881fa94ca6dca510b767a536cf65a0c1ed728fffdc5dcee291b5785332f
Instruction Fuzzy Hash: E29102B59183208BC314CF28D89226BB7E2EFD5364F18D92CE8D59B391E7788905D7D2

Function 00F26ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00F27069

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 5a99c9175871115e4a0fb44409446874dd9badc88a528575ec87efb95fe11b29
Instruction ID: 50b0aca08bb6fade1977efc29afa30ba4e27b0925af88012a457383bd60cb242
Opcode Fuzzy Hash: 5a99c9175871115e4a0fb44409446874dd9badc88a528575ec87efb95fe11b29
Instruction Fuzzy Hash: 1FB199B19093818BD734CF25C8917EBBBE1EFD6324F18891CD4C99B291EB784446DB86

Function 00F1DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 00F1E295

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: e73ab335685ffdec620ab6dece2b1e10136831d7950523e4776724d67fd30dad
Instruction ID: 7f42730a936fc85c9890fada507760a9138e1f8a2f889048fe38935017ae4beb
Opcode Fuzzy Hash: e73ab335685ffdec620ab6dece2b1e10136831d7950523e4776724d67fd30dad
Instruction Fuzzy Hash: 639121B5604B819FD315CF29C990662FBE2FF96310B19869CD4D28FB56C738E806CB91

Function 00F52470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00F52490

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: 5f9fb82f0db48dc7ec5825ddee394f83111dc9986bc71775c246f82a362a9406
Instruction ID: 169eb259e51a59c6b5509a6d6b7c191ef4afede340fd009cb45c490d9967f55c
Opcode Fuzzy Hash: 5f9fb82f0db48dc7ec5825ddee394f83111dc9986bc71775c246f82a362a9406
Instruction Fuzzy Hash: 7E912D319087118BC718DF28D89097FB7E2EFDA321F19866CE98697291E731DC05D782

Function 00F37F30 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 00F38074, 00F38093, 00F380C4

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 75e988bc581cf1857afaa3891c7a7369b5ec4c737ecc96454845c00188fdb851
Instruction ID: 2da9e09902de81886551adc698ece6cd2aaee2062ea4d03e0fc68dd991748325
Opcode Fuzzy Hash: 75e988bc581cf1857afaa3891c7a7369b5ec4c737ecc96454845c00188fdb851
Instruction Fuzzy Hash: 87815BB1A083109BD714AB65DC9176B73A5EFC1374F18862CF98547391EB3C9C0BA792

Function 00F16000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00F16169

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: 7741e66bca2d78bcae5175e3d56caec9b0226679c5bf7b6cc33ea64b4828c17d
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: DAB148716083819FD325CF28C88065BFBE0AFA9704F448E2DF5D997382D231E958CB96

Function 00F43930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00F439CA

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9c588529a0d2a29e8812dbe02ac9b261d71981d715d5b4ca1f8578cc880b5be7
Instruction ID: 1e01c0c4542141e8b132e562cadc90559fd80fe68ec070766c19c3e25e32be1b
Opcode Fuzzy Hash: 9c588529a0d2a29e8812dbe02ac9b261d71981d715d5b4ca1f8578cc880b5be7
Instruction Fuzzy Hash: 42814623759AD44BD728993C4C613BA7E934BD2330F2CC76DBAF68B3E1D5688905A340

Function 00F527B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 00F528B7

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: =^"\
API String ID: 0-2152245029
Opcode ID: 1767685162ed21dd3c8b6ded0322115f047edb6ef35fcea882e3b0742d0316da
Instruction ID: b3388ef9fb203e4d99f6c41d4fe39469f27dea4b8c63ae0201e979ec466e67f0
Opcode Fuzzy Hash: 1767685162ed21dd3c8b6ded0322115f047edb6ef35fcea882e3b0742d0316da
Instruction Fuzzy Hash: 4C81B2346043018BC764DF1CD890A2A77E2FF9A721F14866CEE958B3A1EB35EC55EB41

Function 00F3D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00F3DA2E

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 7c424194eaac14d31291273d5a44f72ce0d1ae1c6ba13e28d04e415cab176c0c
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 5471F632A083158BDB14CE2CE98031FF7E2ABC5730F29856DE4949B391D335ED49A786

Function 00F2A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 00F2AA58

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: 72245fef55edaa999a0ab14edede3b9d412ee494f491a9a484138b75b7774929
Instruction ID: e2bdd047b4bb096727a6caa0d34fa87f0a295e592d4582251c2e2f6015f2894a
Opcode Fuzzy Hash: 72245fef55edaa999a0ab14edede3b9d412ee494f491a9a484138b75b7774929
Instruction Fuzzy Hash: BA5111B0911B508BC7289F25C8616B3BBF1EF56355B084A5CC5C38BA46E739A909CBA1

Function 00F5042D Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 00F50445

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID: 7&'$
API String ID: 0-2529063906
Opcode ID: 686b52f1bad3f21e1596802c9fd5ad17e0f2d49ca52af3780d7d20d007f2678f
Instruction ID: b417f420da15bc97b8b657fe0c9f0d64542c8eb38cff358099395c569816d2df
Opcode Fuzzy Hash: 686b52f1bad3f21e1596802c9fd5ad17e0f2d49ca52af3780d7d20d007f2678f
Instruction Fuzzy Hash: 21F09C309146444BDB518F3C98996BE77F0E713324F302AB4CB5BE32A2CA30C8824F04

Function 00F2F6D0 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed54615ca3c2cecdb681a69b1e3f43a8b73379f8aaf99200b798b6f4a94dc8d8
Instruction ID: 384b350dd34680bbcf641fbf99be4e97f7a8c5d8f3863eebaf9fe61cbae34438
Opcode Fuzzy Hash: ed54615ca3c2cecdb681a69b1e3f43a8b73379f8aaf99200b798b6f4a94dc8d8
Instruction Fuzzy Hash: 0D72D0B1618B808FD3298F3C8845397BFD6AB5A324F184B6DA1FA873D2C77561068716

Function 00F12EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63118830854992f00ccb861f134885c30a8af2fef343badebd46d5fd3f707ada
Instruction ID: 26283649422363777ee858d720ce21472dd3ec7df7d7d242735ecaaac297d9d7
Opcode Fuzzy Hash: 63118830854992f00ccb861f134885c30a8af2fef343badebd46d5fd3f707ada
Instruction Fuzzy Hash: 2852E6719083458FCB15CF29C0906EABBE1FF88324F198A6DF89957341D739D989DB81

Function 00F16850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c295f79878d7d72a5a52d7a41c278fef2a37a689dfb4bc4f782df4d558443c24
Instruction ID: c6986b6f40ab6c55cfdeea0fb956653144e021d692d272af539d0b854adaf60e
Opcode Fuzzy Hash: c295f79878d7d72a5a52d7a41c278fef2a37a689dfb4bc4f782df4d558443c24
Instruction Fuzzy Hash: D252DF70A08B849FE731DB24C4843E7BBE1EF51320F14882DD5EB46A82D379A9C5EB55

Function 00F4080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805a1868c6b5abc05aa009a6c5930552021caba7adc36720932c8c0acf7f0605
Instruction ID: 5ab1fc928e7b7450c0eae02b045371540b9dbf72f0146aac1d2c97572c5af518
Opcode Fuzzy Hash: 805a1868c6b5abc05aa009a6c5930552021caba7adc36720932c8c0acf7f0605
Instruction Fuzzy Hash: 2542C2B0505B809FD315CF39C896793BFE1AB56310F18CA9DE4EE8B382C2399445CB92

Function 00F17620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: 3d9d4f77b20ad06907cb0af025b1d51495ca93886021be19fab10a9e82fbc7f0
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 1F12B532A0C7118BC725EF18D8806EBB3F1FFC4315F19892DD98A97285D734A995D782

Function 00F13900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c2d9d4500c90840ae6493bd408f79c410737870b7035faaaa08545fb75f47b
Instruction ID: 8e7f8cc6218f777dcabee7196d52ecccb1267521a80771763badf094d0d6e28e
Opcode Fuzzy Hash: 56c2d9d4500c90840ae6493bd408f79c410737870b7035faaaa08545fb75f47b
Instruction Fuzzy Hash: 30322471914B108FC328CF29C5906AABBF1BF95710B604A2ED69787F90D736F985EB10

Function 00F36C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1fc4d1f90c0229a0c75fee73092984f4471b27d57c55b16dc16a2527d14b4f
Instruction ID: f48f2f84efc85d3752d62b032d662bb37f93c4c6fd519025fdbdf162ec203c99
Opcode Fuzzy Hash: 6d1fc4d1f90c0229a0c75fee73092984f4471b27d57c55b16dc16a2527d14b4f
Instruction Fuzzy Hash: 46120776E04216CBDB18CF68C8907AEB7B2FF99320F29C098D541AB3A5D7359D41EB50

Function 00F51B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9be23e759df37179561f6c361668a18e0aba2a2b262dbfa22dbacf01064fe27
Instruction ID: 1fb3377cb28db3a95b490df412a60abe9b8fccf8ad1d272410a16db07d8e2e96
Opcode Fuzzy Hash: e9be23e759df37179561f6c361668a18e0aba2a2b262dbfa22dbacf01064fe27
Instruction Fuzzy Hash: 72E1C131618755CFC308CF38D89062BB7E2FBC9326F09896DDA8687291D734E945DB81

Function 00F1E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45ddc8a7c9819dc0b5064b0ce3510ac144cc0ae2745c55266cfabeaa72726eb
Instruction ID: 254079438ea0b4a6f08c9ef17ec31532643f8ebb48eb3e8c12fbba372599ff37
Opcode Fuzzy Hash: d45ddc8a7c9819dc0b5064b0ce3510ac144cc0ae2745c55266cfabeaa72726eb
Instruction Fuzzy Hash: 24122BF1900B00AFC3A0DF39D946797BFE9EB46360F144A1EE5EE87281D73161459BA2

Function 00F15AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: d54a67e9922287237a215e2557652a26a6f4c9fe0c5b9ddecd813af1bd0dea6e
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: 44F1CE76608741CFC724CF29C880A6BFBE6AFD8700F08882DE5D587751E675E885CB92

Function 00F51BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42376d67784c6aedc50a7283ed5f2ef079ca25038d1df4d3d07152237d4f02d2
Instruction ID: 0149f1d43a74b73906cc5e7d990bff5d560064712e14a05d64d9a192e7b38d18
Opcode Fuzzy Hash: 42376d67784c6aedc50a7283ed5f2ef079ca25038d1df4d3d07152237d4f02d2
Instruction Fuzzy Hash: 3CD1C031618755CFC318CF38D89062BB7E2FBC9326F09896DEA8687291D734E945DB81

Function 00F51C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632ebe805e323fae55b1b83f4d7d24f8e7b778eb629c2aceaaaeec0bcca05353
Instruction ID: 68c4344c5bc50e0a12b771faa2a174a4d7711a498cafaaba308757f132a47b0d
Opcode Fuzzy Hash: 632ebe805e323fae55b1b83f4d7d24f8e7b778eb629c2aceaaaeec0bcca05353
Instruction Fuzzy Hash: 8DD1D031A18755CFC318CF38D89162BB7E2FBC9316F09896DE98687291D734E909DB81

Function 00F2D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4023ebe82ff16c8d532ffa6ab399e358a5da244f94678497ce40643cce488694
Instruction ID: 0c276e3dd6557e076e62b6576629c3496e9d4f6e18a46ce228a028bfb360755b
Opcode Fuzzy Hash: 4023ebe82ff16c8d532ffa6ab399e358a5da244f94678497ce40643cce488694
Instruction Fuzzy Hash: 5AC11671908310AFD7109F24EC45B5ABBE2FFD4365F148A2CF899932A0D7769918EB42

Function 00F42B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 054ebeba9b236e3f06ba48e4e25a1f6bcc0ff61293e877d96d49a0124dfd72b1
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: 2AF13B72605B808FD315CB3CC8913A6BFE2AF96314F1D866CD5EB8B392D639A805C711

Function 00F454C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d1c9e3a88aa566ea66b6d3a7d33c29c6f7b0ad0537e8dc3132a74ebdd7672b
Instruction ID: a74170ae505a7d6594ede31b7e9c0a6fed7f158d2e46f668eb1ec41df423d715
Opcode Fuzzy Hash: 37d1c9e3a88aa566ea66b6d3a7d33c29c6f7b0ad0537e8dc3132a74ebdd7672b
Instruction Fuzzy Hash: D7F1AB62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5428755

Function 00F221DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: 58fa2175734137b2c5e3296b0442f82043304bd814ad8a89f734f2b2d8ee857a
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: 6FC1E9B6A04B408FD724DF38D8D23A6BBE1BF55314F18892DD4DB87382E639A445DB12

Function 00F2D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f1f9d23f65e6aae33c840fce124eca66738998acbf4f54729b6d03dc42a6f6
Instruction ID: 12c2d779bbb4b1a4151cd106232e5f4d989674203218f8cb131f1dcc4a82d199
Opcode Fuzzy Hash: b5f1f9d23f65e6aae33c840fce124eca66738998acbf4f54729b6d03dc42a6f6
Instruction Fuzzy Hash: 55912972A082614BC715CE28D89029FBBE1AB85324F19867DECF99B3D2D2349C05E7D1

Function 00F163C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: a401f87d2923aa9ad3767b499a2c2e89380d0a1bbab1f7f637e4d4b1cd025822
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 66C15CB2A087418FC360CF68DC96BABB7F1BF85318F08492DD1D9C6242E778A155DB46

Function 00F38B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b778929f9c0b10f8b97324b4dfb640885e7c645d46acfe3a3ecafc410142e63
Instruction ID: 2e208a0bfa7a3da9ac99aae04f3a1bbad9c190fd18896fbdb47af91a3284c5a6
Opcode Fuzzy Hash: 0b778929f9c0b10f8b97324b4dfb640885e7c645d46acfe3a3ecafc410142e63
Instruction Fuzzy Hash: 5FA15831A08391DFE7248F389C5035A77E2BF86321F18866CF6A5872D1DB789951DB81

Function 00F18360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892517d5ce4c61a84d0bdda5d69420ce4bb36ca769d626e3d8741997d80ca345
Instruction ID: 274559b111fe4bb218c1c1d362bba5e1050ea593926a77ecbdc70171718206f7
Opcode Fuzzy Hash: 892517d5ce4c61a84d0bdda5d69420ce4bb36ca769d626e3d8741997d80ca345
Instruction Fuzzy Hash: D7913C31E083564BC3119E24C5803DBBBD79BC13A0F18CA69D8D1973A9EE74DC86A7C1

Function 00F37070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f892159f4df3ef3a6c6d0d6f1fc35a18b57f088cc52dfd597845df7af2110c5f
Instruction ID: 4f5aa74cab536c2fdc0ded38bac4e50905408d5d89ef292ce3e437e3d12a9cc9
Opcode Fuzzy Hash: f892159f4df3ef3a6c6d0d6f1fc35a18b57f088cc52dfd597845df7af2110c5f
Instruction Fuzzy Hash: F0914775E04605DFDF19CFA8D8907AAB7B2FF49311F588098D502AB361D739AD42EB40

Function 00F52A60 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263d4c969ee8b5b6153b326e417af7e7ed1a4419a74086e293f08d722855e981
Instruction ID: 5e24b80187ea481a2d7f5f95173a8e2e233666cf70920d98dced8b8615ed2956
Opcode Fuzzy Hash: 263d4c969ee8b5b6153b326e417af7e7ed1a4419a74086e293f08d722855e981
Instruction Fuzzy Hash: FA81C0356043069FC764DF58C890A6AB3E1EF86361F18862CFE958B3A1E734EC55EB41

Function 00F4F820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: 447909ed1e7fd75dda3dc44eb82d0a0762e5174205437170d62a461d78496263
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: AB81943160C3929FC315CF28C49062ABFE2AFC5314F198A7DE8D98B391D635D84ADB52

Function 00F39ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13647a1e7dc13eadb6483e3a5c83c972e99abe727330c87f70979f99d41bc51
Instruction ID: 5ac92c2b04faeb4055ec8e9d5df673f7df8c6ba101a09da0b9c305b726c10384
Opcode Fuzzy Hash: a13647a1e7dc13eadb6483e3a5c83c972e99abe727330c87f70979f99d41bc51
Instruction Fuzzy Hash: D87148B2A087148FD7098F29D85133FB6D2ABC4311F49467CE9979B392DBB89801DB91

Function 00F3DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad66da57057faece7ac0cd4bce524607bedcc5e3c7357ab2d6af53972c3911e
Instruction ID: ed104826804bf423893f678e63936b157861939d20463bf37e43dfe9ac2a8604
Opcode Fuzzy Hash: 0ad66da57057faece7ac0cd4bce524607bedcc5e3c7357ab2d6af53972c3911e
Instruction Fuzzy Hash: 9C71BBB450D3D18BE7368F25A49839BBFE1AFA3324F184A5DD0D90B292C735440ADB97

Function 00F1CFEC Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1971df3c87da8bf614f81a1aeb7575c1e2ef68053149c33683aad2f514ef8832
Instruction ID: 3280b0fac2c67ac80924629c6540a72f68563dfc0c98af49fdd97305ef1c3c1d
Opcode Fuzzy Hash: 1971df3c87da8bf614f81a1aeb7575c1e2ef68053149c33683aad2f514ef8832
Instruction Fuzzy Hash: 54516A72605B008FD329CF38CC92A967BA3AFD6314B1D866CC5924B796EB39A406C740

Function 00F47B69 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26cb095a00476a592d35de74068c323b0db82961f42d105ca4f9e6dea2f9f2ed
Instruction ID: d588bc9059b242640c1344df87a98d53c88cf5eaed04004ea1dc4e3cff9b6e2e
Opcode Fuzzy Hash: 26cb095a00476a592d35de74068c323b0db82961f42d105ca4f9e6dea2f9f2ed
Instruction Fuzzy Hash: E091A3B1E042548FCB08CF6CC99179EBBF2AF89310F29829DD855AB391D7759C01CB91

Function 00F2DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d8496fa4e88cbaa8acd205e382e5cdefde3c12f0e64442cfaa2b218f0216fe
Instruction ID: acd04cb3f3aa2886393ef0b05b80624a28a4feccd3edf5b48910c1316d04df20
Opcode Fuzzy Hash: 44d8496fa4e88cbaa8acd205e382e5cdefde3c12f0e64442cfaa2b218f0216fe
Instruction Fuzzy Hash: 92615B3374DE904BE3288D3D6C61365BA834BD6334B2DC37DA5B58B3E5D9A54C02A340

Function 01087C60 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0b2d846fcae4c1b7a18c2eb1cd83009a1c070e57a5b17d754bb59ecaba6d78
Instruction ID: 2af655f2584fbb96cd9b6b80b1c1917baedeaa90ff7bba4331e0186c98a4e438
Opcode Fuzzy Hash: db0b2d846fcae4c1b7a18c2eb1cd83009a1c070e57a5b17d754bb59ecaba6d78
Instruction Fuzzy Hash: 416129F3A086049FE3086E2DEC5577ABBD9DBA4324F1B853DD5C9C7384F93958018286

Function 010D9AF9 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b76c668623909505584511907c68f7acd195384b57ea0f099952e3f38add5b
Instruction ID: 52cce36bb791c1b7effe7f6d4b28894c0d4ca9d0e49e766af2a941eed0bd7446
Opcode Fuzzy Hash: 76b76c668623909505584511907c68f7acd195384b57ea0f099952e3f38add5b
Instruction Fuzzy Hash: 8661F4F350C308AFE3106E59EC81A7AF7E9EB94720F19852DE6D083704EA3669058697

Function 00F2A690 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354295d4c28cec72fb867da8f8f2d8de5f3c17cd5678038479d2c2b6a9a0d6ca
Instruction ID: 1567ec9f45f9e113292880caec03772dc68ff24e4c2803151914596936cac75f
Opcode Fuzzy Hash: 354295d4c28cec72fb867da8f8f2d8de5f3c17cd5678038479d2c2b6a9a0d6ca
Instruction Fuzzy Hash: 2861D233F669A04BD724893CAC512AA7E530BD733473DC366E975DB3E5C6268C026391

Function 00F3BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: f8479af127460d103dd639997d6e64937d3261df7c61c72adeddbf92a96b7956
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: BC61D432B083544BD7249E2DD8E032AB7D2ABC6374F19876CEAB58B3E5DB309C459741

Function 00F2B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bc0fc4d38cea7e61e42f58f205f7ae6094708cdc85084f6155be3029b319a2
Instruction ID: 808e01bb1c570968ddf96dacf53bcffcc6871945b9508a4ca63c8a51465cb852
Opcode Fuzzy Hash: 06bc0fc4d38cea7e61e42f58f205f7ae6094708cdc85084f6155be3029b319a2
Instruction Fuzzy Hash: 1B413B72A147514BD3298A35C862373BFA3EFA3305F1C846DC5D38B656DB39A50B9710

Function 00FBAD88 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd323cb3a582e8293871c10df0822df2bcf6efba254350b3156cfefdf7b2711
Instruction ID: 6d7e7bb803e1fb2309b6d6f0e0e560cf29068811b8084b52cf79aa378df3cc69
Opcode Fuzzy Hash: cbd323cb3a582e8293871c10df0822df2bcf6efba254350b3156cfefdf7b2711
Instruction Fuzzy Hash: 8C51D2F360C2009FE304AA29EC4563EB7E6EFD4720F1A892DE6C4C3744EA355841CA97

Function 00F474AB Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83975b6e0631895705631f0367ad8f4975d7ebeef4c66a8dc72bda2a069138e8
Instruction ID: 9dc817b0055b3697b31da4dbfc5542448e9d39a838f934f638f271f00e4afc95
Opcode Fuzzy Hash: 83975b6e0631895705631f0367ad8f4975d7ebeef4c66a8dc72bda2a069138e8
Instruction Fuzzy Hash: 9F71B5B2E046508FC718DF6CC85135ABFE2AB85314F2982ADD8999F3D2D7759806CB81

Function 00F1CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fff72d744e298b414e6c52e3cbd1f456a8912f85c35153232be25a8f96c981c
Instruction ID: 118a5d9c9b421047eff25ef25607a2bfa5bb4ee3645373c8ddd504ec2e6cbaef
Opcode Fuzzy Hash: 0fff72d744e298b414e6c52e3cbd1f456a8912f85c35153232be25a8f96c981c
Instruction Fuzzy Hash: 6051047664C3118BC718DF64C8A26ABB7E2FFD4314F19992DE5C6DB390DA348801D786

Function 00F2B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cdc3856c425c59eb2a41d360a6cfadb5d70f6d0e87867d37bf79e6ed24b6d5
Instruction ID: c89832a7d47cc7aeb68a0e534a3d436024de0154970b9219b30046fd9bebc58a
Opcode Fuzzy Hash: 45cdc3856c425c59eb2a41d360a6cfadb5d70f6d0e87867d37bf79e6ed24b6d5
Instruction Fuzzy Hash: A0414C72A147514BD3298A35D8623B3BFA3AFE2305F2C956EC8D347642D739A40B9350

Function 00F45D13 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb528cb99d53dad5af2585dba6c8dea7d81e3281b8bc6691674e59eff7681fe
Instruction ID: 7af27aaa9f8f4c04313e068ee1d81b6ceb3f9a1586da0a2141a932b71dfe6f71
Opcode Fuzzy Hash: afb528cb99d53dad5af2585dba6c8dea7d81e3281b8bc6691674e59eff7681fe
Instruction Fuzzy Hash: 26913C11208BC28ED7268A3C88586157F915BA7238B2D87DCE0FA8F7E7C657C107D366

Function 00F4ACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 87fc2cd97c8d7b44f232f93837476676a28483f4118d17ede9668fb2fa3f7217
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: C7515FB19087548FE314DF69D49435BBBE1BBC4314F044E2DE5E987351E379D9088B92

Function 00F4443D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c32080f9282bdccf71f2291722efdfc3dc3022cb0934f412a1469ddaa0e3b2
Instruction ID: 9eed80ad49c7f53f4fa1ceb50d44ed9ef8c47d5f63cd56ba11566ab5513c39bb
Opcode Fuzzy Hash: e3c32080f9282bdccf71f2291722efdfc3dc3022cb0934f412a1469ddaa0e3b2
Instruction Fuzzy Hash: 60912C11208BC28EC326CA3C88586557F925B67228F2D87DCD0FA8F7E7C7669507C766

Function 00F518A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256de64fc92342669a0fa43fd285aa0602a2bfbc21f0d40667d9534f575c6883
Instruction ID: c0c95e5c0e67c75c6ddc4fc10f39e313b14577773f604bf7d5fb9cf4da7e8c54
Opcode Fuzzy Hash: 256de64fc92342669a0fa43fd285aa0602a2bfbc21f0d40667d9534f575c6883
Instruction Fuzzy Hash: 24513836A08315CFC7109F64E89076AB3E1FB89356F0A887DDA8557350D334E88AEB81

Function 00F12210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed31ccc694219d9ec91899769e31c40133359ae85369b06f4a93e6e9c28611e6
Instruction ID: 2e6bd516990ea42ba1c285beaf13954e412317124cb2d21d6d3550138c8bf2ca
Opcode Fuzzy Hash: ed31ccc694219d9ec91899769e31c40133359ae85369b06f4a93e6e9c28611e6
Instruction Fuzzy Hash: E051DEB19047019BD3209F68DC4475BBBE4BB85334F14472CE9BA872E0E334E965EB86

Function 0110F328 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7da2fb3136e18c595926c8bd1a77fef3ea7f37977bd41ad5932566794a6d2
Instruction ID: 63c8d6491170a307935f4c2bb78bef339897f04707c2cb0af11246c0cfb2d778
Opcode Fuzzy Hash: 67b7da2fb3136e18c595926c8bd1a77fef3ea7f37977bd41ad5932566794a6d2
Instruction Fuzzy Hash: CF5137B3D0C112CBD32E6E28D84667AB7E1AB54220F07492EDDC6D77C4E7F599028683

Function 00F7A848 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0588cdd6cd518830aab00f6a27f3b06107033b116dfd6dc932296430d40dd0e4
Instruction ID: fcd7b0e67bcbf4f60778abed5b3116e43ca1424fc275d368883974554add82fc
Opcode Fuzzy Hash: 0588cdd6cd518830aab00f6a27f3b06107033b116dfd6dc932296430d40dd0e4
Instruction Fuzzy Hash: 145129F390C2109BE30CAE28EC9577AB7D9DB54720F1A462DEAD6D3784E97558048286

Function 00F46610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786817115bf91e26eabb5a7328348e5124cdeeff35ed59f67d6d7d3f43754636
Instruction ID: e9e79d5b48e0685ae7d7ed0a47b9cdb675d4edc6060c555029865f6da19ff41f
Opcode Fuzzy Hash: 786817115bf91e26eabb5a7328348e5124cdeeff35ed59f67d6d7d3f43754636
Instruction Fuzzy Hash: 5251F533B59A904BD328893C5C623667E930BD7338B2DC76EE9B1CB3E5D95988056341

Function 00F4CB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 0cffdccec443c5ac77cc391dcb76a6332e7bca4d0b87a3caf686931401b4ca13
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: 8151F333E169704BC7648D7D9C8135ABA92AB82330F2A8339ED75EB3D0DA349D0153C1

Function 00F51FB0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db609cf865581d05cd7f2a128be871ad4a5a6883de7e8c608f57929ad5ed2dd1
Instruction ID: ed476d4a1e85f189340aa8ed813506a65d6246c355e268950605f91ebad46cd7
Opcode Fuzzy Hash: db609cf865581d05cd7f2a128be871ad4a5a6883de7e8c608f57929ad5ed2dd1
Instruction Fuzzy Hash: 5D51363061D744DFD3448F38D86066BB7E2FB8632AF498A6CD5C687291C335D85AEB81

Function 01127AF6 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1871a1d3876fc538d2cc39d68630fe4109d90f0711d5ef2e29c14239b8946bfd
Instruction ID: 8523e6ad679b25a41d78911bcdd9e11697b62d31116bb4907dec0edb2d49b951
Opcode Fuzzy Hash: 1871a1d3876fc538d2cc39d68630fe4109d90f0711d5ef2e29c14239b8946bfd
Instruction Fuzzy Hash: 2651B3F250C2219BD309AE28EC8567BB7E4EB28720F17492DD6C2D7780E63169618797

Function 010C88D4 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e8cea4a292b99ec625c7c858c9320906b01df18b062a2a3b5aa4ffc7036d22
Instruction ID: 2d4fcdfb0b8f9bdce519ddddeb40376257df441bc8b7aadf59d80ff6af360e8e
Opcode Fuzzy Hash: f4e8cea4a292b99ec625c7c858c9320906b01df18b062a2a3b5aa4ffc7036d22
Instruction Fuzzy Hash: 8851D0F7F0122547F3544929DC643A266938BE6320F2F82B98E5C6B7C2E87E5C0A5384

Function 00F4C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a57b23225558867deabfb9e786a394142b864465a7d50f111f9117d2ef9a2a3
Instruction ID: 99797cd79c31e858715745edfba0b9c4393a22c57418c993280d109d48afd193
Opcode Fuzzy Hash: 8a57b23225558867deabfb9e786a394142b864465a7d50f111f9117d2ef9a2a3
Instruction Fuzzy Hash: 29412572E053046BD3549E64EC81B6BBBA8EB85714F14942CFE8593251E735EC04ABD2

Function 00F5768E Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e3a9c7938835fa8ccbc43d8c8c8266e4d973f25d0204ecddcb5f8f5ddd4e1d
Instruction ID: 1534b9e50f69a5f63fcade5a6ffad44fc5f1488100c9c0561d16ee8ad0a819b7
Opcode Fuzzy Hash: 87e3a9c7938835fa8ccbc43d8c8c8266e4d973f25d0204ecddcb5f8f5ddd4e1d
Instruction Fuzzy Hash: CF415BB3F412258BF3404A6ADC5836266839BD5720F2F81788A5C6F3C6D97EAC4697C4

Function 00F1A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a97fb9ec98d333bf67e23199b9ae758a561517836cfde15d6028fb45b1e6026
Instruction ID: cf7b30c5b159bd152b0b95b022a1bf7a46be943789d95413b9bd4b8e479b2d24
Opcode Fuzzy Hash: 1a97fb9ec98d333bf67e23199b9ae758a561517836cfde15d6028fb45b1e6026
Instruction Fuzzy Hash: B6416033B106519BC71C8E68C8A23AAFBA3FB8A320B1E512DC955A7745D7789C415BC0

Function 00F2B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb7e83d6b2d0b8d5caa6783bb0c058ba00262aa892ba5b0ef0908190d2f63ab
Instruction ID: 6a3a351372a2379ae7a8eb9bb87a57f9262c8a79c577463ebb106d2f759795fe
Opcode Fuzzy Hash: fdb7e83d6b2d0b8d5caa6783bb0c058ba00262aa892ba5b0ef0908190d2f63ab
Instruction Fuzzy Hash: E73134316047918FCB288F39D4613ABBBF1DB5A324F28496CC5D787782C339A846DB10

Function 00F50BAB Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43469a82e4fec8a4832ab397e9228f694659406eb63a004a9311b35f84f562fa
Instruction ID: 7830df6a5d2ea7f4d9c1a7ed28739aba2933a0b9cf60ae1ac45d9ee9a8cc724c
Opcode Fuzzy Hash: 43469a82e4fec8a4832ab397e9228f694659406eb63a004a9311b35f84f562fa
Instruction Fuzzy Hash: F6315A609146928BDB11CF34C8A17B6B7B0FF47321F144759C8C18B681EB786586DB81

Function 00F2AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb6f42cd1f7fb210375a5d3f0f10142573e7f19319d9ccb0474b0c64ca9ce84
Instruction ID: 3b3a70e07277dcf5bcef01555ebfd3eeee21a8df6eedef978fd9a51e727026ad
Opcode Fuzzy Hash: abb6f42cd1f7fb210375a5d3f0f10142573e7f19319d9ccb0474b0c64ca9ce84
Instruction Fuzzy Hash: 612126718086A28FD7268B34E8507B2BBA1EF63305F28149DD5C38B253E725A50AD761

Function 01093759 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61743483acf7b72cb74a2fca6027506f6f8db0888c6cf4bdd4f1c8dc4b323ab9
Instruction ID: 9bf851dbe6899c30ef8055c063655d0a9e30708a5db10f0b7c5d3e7abce9323d
Opcode Fuzzy Hash: 61743483acf7b72cb74a2fca6027506f6f8db0888c6cf4bdd4f1c8dc4b323ab9
Instruction Fuzzy Hash: 4C31A3B3F156104BF3505D38DC897AABAD6AB94320F2F4A38CAE8D76C1D93D490587C6

Function 00F12B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b54bbe534a036538bd9284c33420d8fa6a17a5742bc9d378af6f0bfe48d55b
Instruction ID: ae3fbe21258c65172d84de0a6802b0c5e552de5d97e1014ee6da2127d40738c3
Opcode Fuzzy Hash: 17b54bbe534a036538bd9284c33420d8fa6a17a5742bc9d378af6f0bfe48d55b
Instruction Fuzzy Hash: AC21A43561C2A50BC758CE7DA8F04B6B791A78B317719026FEBC287352D61898E4B760

Function 00F48520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 3f5f253708c45fc545be7fc73b58444571f48ccf384610a579c6ac4f3c025b90
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4F11A933A051D40EC3169D3C8840569BFE30AD3675F5D8399F8B8AB2D2DA22CD8B9355

Function 00F3BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction ID: 7f2ec576addd104a13ec4b55fe08544710fb6c08f5d8b7f87682d8c417c89d9f
Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction Fuzzy Hash: 8D0184F6B0070167DB219E549DE1B3BF2A86FC1734F18442CEA0857206DF79EC06E6A5

Function 00F2B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7ff5480b5eff4d6122077479ed0663d6980e8797d4e28f0f929479556a2890
Instruction ID: 32a331f526910023b40b861639d08d4dfaf74adc8c9bdb6caa902f9b528ba24c
Opcode Fuzzy Hash: df7ff5480b5eff4d6122077479ed0663d6980e8797d4e28f0f929479556a2890
Instruction Fuzzy Hash: FE11D331104B508FD7248F25C824367BBE19B66329F198A5DC5E7976D1DB7AE10A8B40

Function 00F2B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 331b418e6b71ad51b0e8359c485807543b7f383bf632737f0750350ccb16b7d2
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 0B0184215082D28FD7128F28D4207A6FFE0EFA3320F1896C6D4D58F283C3789945DBA5

Function 00F2B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: f69c8845f7c1156b9939a2160e1343b06cbdb104fc82294ef2188e5d4991bd93
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: 4E01A2215082D28FE7128F2894207B6FFE0EFA3320F1896C6D4D58F283C3689945DBA5

Function 00F1C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c0758c0712d96eff5ce5cf561a28babde0134a1ead57fb9d541daa2117c263
Instruction ID: 256d69dd0c0d5a8fae98750dc57140cfbc7887315bb23f0779fb0ba7318b4c79
Opcode Fuzzy Hash: f8c0758c0712d96eff5ce5cf561a28babde0134a1ead57fb9d541daa2117c263
Instruction Fuzzy Hash: D811483028C3808FD714CF64D9D57ABBBE19BD2308F244A2CE5C117292D3F589099BA7

Function 00F2BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: d6a2dfa3c1bc24ac51d8e962db7f95450d53b3fb07ba9e89a6c575bdfa2631b6
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: 75012B655042928FEB118F28D410766FBE0EF63320F1896D6C4D58F283C379C845C765

Function 00F2AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 22588962807df533517d663852966a167dd2a36b7e30e0d593dc3b519265c2a1
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: F801D6205082D28FE7124F2894217B6FFE0EF63320F1896C6D4D58F1C3C3698945D765

Function 00F1C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c47ba4b02d520be190b7220ddfadbec1f210157c3ac31ad7369136695db821d
Instruction ID: f4b119bad2fae3827ae2b6165a47f347c64fdf5ab59dddc87aaf7c1bb0ef30ef
Opcode Fuzzy Hash: 2c47ba4b02d520be190b7220ddfadbec1f210157c3ac31ad7369136695db821d
Instruction Fuzzy Hash: 1111277065C3808FD318CF28ED8075BBBE2EBDA314F248A1CE5D217255C6B19949DBA6

Function 00F4F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5354be8a0085462da86b033a8f8f15c3475f0f592c22eac821233d0f5d435bc
Instruction ID: f0f41aac28ffc467af95125b836cd0ce8f65e5fa65e951ab47866dc4a3be365e
Opcode Fuzzy Hash: e5354be8a0085462da86b033a8f8f15c3475f0f592c22eac821233d0f5d435bc
Instruction Fuzzy Hash: 21F0F932900308BFD1104A49DC80D377B6DE7CD738F140328F91A521A1F322FD54A7A1

Function 00F28672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2172d4823417974d265f1a04b2e6814c084c8b19c60c6a625053e4ae03b521
Instruction ID: 7daa3a0a8d8237058be3079ad12334ff438f839477a871b613d6d21fc6cf15b5
Opcode Fuzzy Hash: 3b2172d4823417974d265f1a04b2e6814c084c8b19c60c6a625053e4ae03b521
Instruction Fuzzy Hash: 71F08235902728CEC7198F58BDD14347761F7463E3B181455C503A30A4EF30AC53F949

Function 00F19E09 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77d5c46a945d3623e182595ad65acc45b5d8efbba2414e52ee7231f36518d3c
Instruction ID: cc080945440f6068117f72c6380711ef3fabd509d4cd9fdc1b761a636058479c
Opcode Fuzzy Hash: d77d5c46a945d3623e182595ad65acc45b5d8efbba2414e52ee7231f36518d3c
Instruction Fuzzy Hash: EEE09A34918209CFCB04CF48D8626B7B7B0EF0A312F146059DE83EB360E3349941E7A8

Function 00F1CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77bf4b8864a313d2186d30098361e8bbc443a0485bd3282715d5feda5bd06f6
Instruction ID: fc531b0a1049c620ed99368c03ec920e20dc086dde94a9ed9452a4bccc7b4614
Opcode Fuzzy Hash: d77bf4b8864a313d2186d30098361e8bbc443a0485bd3282715d5feda5bd06f6
Instruction Fuzzy Hash: 48E07D30A097848BC218FB11DD714BBB3B2AF81344711585D914317752CE68A882EB95

Function 00F3B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd717049fd7487a7eab39c243705cfd01f0fdeb436e9cc3bc500c4bb1e56c472
Instruction ID: a995663208c5a7dea1511d970171133868fd3a01a6c3391d377104f70d79ad5c
Opcode Fuzzy Hash: cd717049fd7487a7eab39c243705cfd01f0fdeb436e9cc3bc500c4bb1e56c472
Instruction Fuzzy Hash: 25E08C75E08705CF86188F04E9A2635B3A1EB96322F1854A9924667121F320AC42F646

Function 00F2F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: e23dc8eb1510eb1dc0cec340fb17906c894e7e7a8513b58a6839c2a8166c7045
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: A9D097319087B00E9718CD3810A0437FBF8E943622B0810BEE4C1E3144C220DC055298

Function 00F1D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd38a047228453a7c58d704865e875ca392d8ebbdc45ae741f2807ea4bd0678a
Instruction ID: 3e796335ad7b3aa14d4c4d1e703938c8a35e99816dedbb1504d0ebe3be67c3d7
Opcode Fuzzy Hash: bd38a047228453a7c58d704865e875ca392d8ebbdc45ae741f2807ea4bd0678a
Instruction Fuzzy Hash: 92C04C2565C2088B924CDA25BC50572B6769B8A215B15E019850653355E1209452A50D

Function 00F3F0FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00F3F23F

Strings

aN@, xrefs: 00F3F2FC
#v, xrefs: 00F3F23F

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: FreeLibrary
String ID: aN@$#v
API String ID: 3664257935-1204080873
Opcode ID: d72eae4660e374f2a138e12928e67331928fd3d3ae9ec7f88575c4219101f894
Instruction ID: 42b417db25d27641479f2d0a4ed244b7075b591a49d32071485b3d90538bc056
Opcode Fuzzy Hash: d72eae4660e374f2a138e12928e67331928fd3d3ae9ec7f88575c4219101f894
Instruction Fuzzy Hash: 88516671A0C3C48BE3358B289C557ABBFD2AFE2319F18096CE0D95B3D2DA74440AC752

Function 00F1BA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00F18A9E), ref: 00F1BA86
FreeLibrary.KERNEL32 ref: 00F1BAA7

Strings

#v, xrefs: 00F1BA86, 00F1BAA7

Memory Dump Source

Source File: 00000000.00000002.2150322514.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2150308454.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150355044.0000000000F65000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000000F67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150371328.0000000001214000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150598870.0000000001215000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150701147.00000000013B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150715707.00000000013B6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_v3tb7mqP48.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 71c4f27f177bc3232873f3b79e0d488fe2651230013b1c30169de2d4849c9a8d
Instruction ID: baec0821d606cb17197db77f4084aeae93bd81059c184184d8c41dfff2c19ea4
Opcode Fuzzy Hash: 71c4f27f177bc3232873f3b79e0d488fe2651230013b1c30169de2d4849c9a8d
Instruction Fuzzy Hash: B1C0023346070C9FDE057BA0FD0D8583A31FB48707B144064F70740435DA220924FA92

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report v3tb7mqP48.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
v3tb7mqP48.exe

Function 00F1B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Function 00F18880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Function 00F1AA36 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Function 00F502C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00F50260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 00F1AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Function 00F4EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 00F4EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON